We are setting Splunk up to use Radius with SecurID (2 factor). We have this working, but ran into an issue when a SecurID token is not in a "normal" mode.
SecurID has what is called new pin mode where a Radius/SecurID site will prompt the user to create a new PIN for their SecurID card as well as a "Next token" mode where the site being authenticated to will prompt the user after they enter the number on their SecurID card when it changes in order to re-sync the token and the SecurID server. Also (I haven't been able to test this) SecurID users tokens could be locked and require a reset.
We are hoping that there is a way to prompt the user for New PIN, next token and inform them their token is locked via the Splunk login page. I know that the existing Radius authentication script does not support this, but even if we were able to re-write the script I am wondering if Splunk can be customized in a way to provide the ability to deal with those 3 scenarios (New PIN/Next Token/Token Locked).
There is really no facility to do this in Splunk. If the user can't log into Splunk, they may be required to go to some other url/application to update their PIN.