Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Splunk Auth with Radius and Vendor-Specific attrib...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does anyone have experience or code they can share configuring Splunk to authenticate via radiusScripted to Radius but leverage the "Vendor-Specific Attribute" (VSA) field allowing radius to return a "Vendor ID" (VID) and "Vendor Data" to have Splunk identify the user's group without a userMapping pre-seed file?
Some info on VSA from Cisco
Splunk's VID according to iana
27389
Splunk, Inc.
Carl Jackson
carl&splunk.com
TIA, Sean
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is an app on Splunk-base which will allow authentication via RADIUS and incorporation of roles from the server. See radius-authentication.
The setup screen will allow you to select the vendor-specific attribute that contains the user roles. You can also map the roles using a lookup file if you want to override the server provided roles.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is an app on Splunk-base which will allow authentication via RADIUS and incorporation of roles from the server. See radius-authentication.
The setup screen will allow you to select the vendor-specific attribute that contains the user roles. You can also map the roles using a lookup file if you want to override the server provided roles.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LukeMurphey
Thanks! I wrote a ScriptedInput where I did all of this a few years ago and have used it twice since then, but what you referenced is much easier to implement and for the customer to manage. Thanks for pointing it out.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Josh,
It has two parts:
1. Use extended attributes in radius to return "more" to the requesting radius client. In this case, return fields that can be used to signify role such as "Splunk-Role = 'power'"
2. Modify the radiusScripted.py to accomodate the additional info returned from radius.
Sean
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this a matter of having the radius request provide more data, or a matter of having the radius response handler make decisions on more data, or something else?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
