WE performed a test this morning with DUO\SPLUNK and it worked fine, however it also forced our local splunk accounts to use DUO. We are also not sure on how this would impact those local accounts that are used in scripts that access the API.
Is there a way around this or is it all or nothing?
Docs start here, if you haven't found them yet: About two-factor authentication with Duo Security in the Securing Splunk Enterprise manual.
The Configure Splunk Enterprise to use Duo Security two-factor authentication topic states that you can use it with scripted authentication.
so these docs are great, however I already had DUO setup, the issue I ran into is that built in ADMIN account when logging on the UI is also pushed through 2 factor auth. We use Active directory, which that account is not part of. So I was actually looking to see if there was a configuration setting that allowed certain ID's to bypass 2 factor?
I also use the API from C# and Python, so not sure if that uses the same auth method or not.
I haven't used DUO with Splunk yet, but have used DUO as additional protection for SSH logins.
There, you could exclude certain user accounts, or source IPs from having to use the DUO two-factor.
It was simply available in the DUO admin interface on their website - look for something like bypass.
Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂