Security

Splunk Auth with Radius and Vendor-Specific attribute for role-mapping

sdwilkerson
Contributor

Does anyone have experience or code they can share configuring Splunk to authenticate via radiusScripted to Radius but leverage the "Vendor-Specific Attribute" (VSA) field allowing radius to return a "Vendor ID" (VID) and "Vendor Data" to have Splunk identify the user's group without a userMapping pre-seed file?

Some info on VSA from Cisco

Splunk's VID according to iana
27389
Splunk, Inc.
Carl Jackson
carl&splunk.com

TIA, Sean

Tags (2)
1 Solution

LukeMurphey
Champion

There is an app on Splunk-base which will allow authentication via RADIUS and incorporation of roles from the server. See radius-authentication.

The setup screen will allow you to select the vendor-specific attribute that contains the user roles. You can also map the roles using a lookup file if you want to override the server provided roles.

View solution in original post

0 Karma

LukeMurphey
Champion

There is an app on Splunk-base which will allow authentication via RADIUS and incorporation of roles from the server. See radius-authentication.

The setup screen will allow you to select the vendor-specific attribute that contains the user roles. You can also map the roles using a lookup file if you want to override the server provided roles.

0 Karma

sdwilkerson
Contributor

LukeMurphey
Thanks! I wrote a ScriptedInput where I did all of this a few years ago and have used it twice since then, but what you referenced is much easier to implement and for the customer to manage. Thanks for pointing it out.

0 Karma

sdwilkerson
Contributor

Josh,
It has two parts:
1. Use extended attributes in radius to return "more" to the requesting radius client. In this case, return fields that can be used to signify role such as "Splunk-Role = 'power'"
2. Modify the radiusScripted.py to accomodate the additional info returned from radius.
Sean

0 Karma

jrodman
Splunk Employee
Splunk Employee

Is this a matter of having the radius request provide more data, or a matter of having the radius response handler make decisions on more data, or something else?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...