How does DUO authentication for SPLUNK work?

pfabrizi · ‎05-15-2018

WE performed a test this morning with DUO\SPLUNK and it worked fine, however it also forced our local splunk accounts to use DUO. We are also not sure on how this would impact those local accounts that are used in scripts that access the API.
Is there a way around this or is it all or nothing?

Thanks!

ChrisG · ‎05-15-2018

Docs start here, if you haven't found them yet: About two-factor authentication with Duo Security in the Securing Splunk Enterprise manual.

The Configure Splunk Enterprise to use Duo Security two-factor authentication topic states that you can use it with scripted authentication.

pfabrizi · ‎05-16-2018

so these docs are great, however I already had DUO setup, the issue I ran into is that built in ADMIN account when logging on the UI is also pushed through 2 factor auth. We use Active directory, which that account is not part of. So I was actually looking to see if there was a configuration setting that allowed certain ID's to bypass 2 factor?

I also use the API from C# and Python, so not sure if that uses the same auth method or not.

Thanks!

xpac · ‎05-15-2018

Hey,
I haven't used DUO with Splunk yet, but have used DUO as additional protection for SSH logins.
There, you could exclude certain user accounts, or source IPs from having to use the DUO two-factor.
It was simply available in the DUO admin interface on their website - look for something like bypass.

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

How does DUO authentication for SPLUNK work?

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?