[Guide] Using ClearPass for Access to Splunk
01-06-2015 03:57 PM - edited 01-06-2015 04:03 PM
This guide assumes you already have Splunk up and running. You will need administrative access in Splunk to be able to add Apps.
I'll be using existing management role mappings and will not cover that piece.
A generic service (which includes enforcement profiles and policies) and the custom RADIUS dictionary are attached to this post for import.
Let's start in ClearPass
1) Import the custom Splunk RADIUS dictionary (attached to this post).
[Administration > Dictionaries > RADIUS]
2) Create enforcement profiles for each access level
[Configuration > Enforcement > Profiles]
- Type: RADIUS Based Enforcement
- Attributes: Radius:Splunk groups (1) = <group name*>
*The group name should correspond to a Splunk access role
3) Create a new service
- Type: RADIUS Enforcement (Generic)
- Service Rules:
1. RADIUS:IETF NAS-Identifier EQUALS Splunk
2. Connection Src-IP-Address EQUALS <splunk-server-IP>
4) On the authentication tab, add PAP under authentication methods and add your authentication source
(AD, LDAP, local user db, etc)
5) Select or create a role map (optional)
6) Create your enforcement policy to map identity (TIPS roles or direct AD membership) to a Splunk Role enforcement profile
7) Save your service
8) Add a new network device for Splunk and specify a RADIUS shared secret.
[Configuration > Network > Devices]
Over to Splunk
1) Under "Apps" at the top near the Splunk logo, click Manage Apps
2) Click "Browse for more apps" and then search for RADIUS. Install the "RADIUS Authentication" app by Luke Murphey.
3) Follow the steps and restart Splunk. Once Splunk restarts, it will ask you to set up the app.
4) RADIUS Server Information
Enter in your ClearPass server(s) and shared secrets.
If you wish to change the default identifier (Splunk), be sure to update this value in your service for NAS-Identifier.
Under role assignments, enter "27389" for the Vendor Code and "1" for the attribute ID.
If you'd like Splunk to assign a default role if one is not returned from ClearPass, specify it in the box.
When finished, click Save at the bottom right.
Log out of Splunk (or fire up another browser) and log in with your network credentials!
| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |