Security

Reply
Guru Elite
Posts: 8,636
Registered: ‎09-08-2010

[Guide] Using ClearPass for Access to Splunk

[ Edited ]

This guide assumes you already have Splunk up and running. You will need administrative access in Splunk to be able to add Apps.

 

I'll be using existing management role mappings and will not cover that piece.

 

A generic service (which includes enforcement profiles and policies) and the custom RADIUS dictionary are attached to this post for import.

 

Let's start in ClearPass

 

1) Import the custom Splunk RADIUS dictionary (attached to this post).  

[Administration > Dictionaries > RADIUS]

 

splunk-3.png

 

 

2) Create enforcement profiles for each access level  

[Configuration > Enforcement > Profiles]

 

     - Type: RADIUS Based Enforcement

     - Attributes:  Radius:Splunk     groups (1)     =   <group name*>

 

splunk-5.png

 

*The group name should correspond to a Splunk access role 

splunk-roles.PNG

 

3) Create a new service

     - Type: RADIUS Enforcement (Generic)

     - Service Rules:

          1.    RADIUS:IETF       NAS-Identifier      EQUALS       Splunk

          2.    Connection            Src-IP-Address    EQUALS       <splunk-server-IP>

 

splunk-9.png

 

4) On the authentication tab, add PAP under authentication methods and add your authentication source

(AD, LDAP, local user db, etc)

splunk-8.png

 

5) Select or create a role map (optional)

 

6) Create your enforcement policy to map identity (TIPS roles or direct AD membership) to a Splunk Role enforcement profile

 

splunk-enf.PNG

 

 

7) Save your service

 

8) Add a new network device for Splunk and specify a RADIUS shared secret.

[Configuration > Network > Devices]

 

splunk-2.png

 

 

 

Over to Splunk

 

1) Under "Apps" at the top near the Splunk logo, click Manage Apps


manageapps.png

 

 

2) Click "Browse for more apps" and then search for RADIUS. Install the "RADIUS Authentication" app by Luke Murphey.

rasdius-auth.PNG

 

 

3) Follow the steps and restart Splunk. Once Splunk restarts, it will ask you to set up the app.

 

splunk-1.png

 

 

4) RADIUS Server Information

 

Enter in your ClearPass server(s) and shared secrets.

 

If you wish to change the default identifier (Splunk), be sure to update this value in your service for NAS-Identifier.

 

Under role assignments, enter "27389" for the Vendor Code and "1" for the attribute ID.

 

If you'd like Splunk to assign a default role if one is not returned from ClearPass, specify it in the box.

 

When finished, click Save at the bottom right.

 

splunk-4.png

 

 

 

 

That's it!

 

Log out of Splunk (or fire up another browser) and log in with your network credentials!

 

splunk-7.png

 

 

splunk-6.png

 

request-ouput.PNG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: