Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

[Guide] Using ClearPass for Access to Splunk

This thread has been viewed 2 times

  • 1.  [Guide] Using ClearPass for Access to Splunk

    EMPLOYEE
    Posted Jan 06, 2015 06:57 PM
      |   view attached

    This guide assumes you already have Splunk up and running. You will need administrative access in Splunk to be able to add Apps.

     

    I'll be using existing management role mappings and will not cover that piece.

     

    A generic service (which includes enforcement profiles and policies) and the custom RADIUS dictionary are attached to this post for import.

     

    Let's start in ClearPass

     

    1) Import the custom Splunk RADIUS dictionary (attached to this post).  

    [Administration > Dictionaries > RADIUS]

     

    splunk-3.png

     

     

    2) Create enforcement profiles for each access level  

    [Configuration > Enforcement > Profiles]

     

         - Type: RADIUS Based Enforcement

         - Attributes:  Radius:Splunk     groups (1)     =   <group name*>

     

    splunk-5.png

     

    *The group name should correspond to a Splunk access role 

    splunk-roles.PNG

     

    3) Create a new service

         - Type: RADIUS Enforcement (Generic)

         - Service Rules:

              1.    RADIUS:IETF       NAS-Identifier      EQUALS       Splunk

              2.    Connection            Src-IP-Address    EQUALS       <splunk-server-IP>

     

    splunk-9.png

     

    4) On the authentication tab, add PAP under authentication methods and add your authentication source

    (AD, LDAP, local user db, etc)

    splunk-8.png

     

    5) Select or create a role map (optional)

     

    6) Create your enforcement policy to map identity (TIPS roles or direct AD membership) to a Splunk Role enforcement profile

     

    splunk-enf.PNG

     

     

    7) Save your service

     

    8) Add a new network device for Splunk and specify a RADIUS shared secret.

    [Configuration > Network > Devices]

     

    splunk-2.png

     

     

     

    Over to Splunk

     

    1) Under "Apps" at the top near the Splunk logo, click Manage Apps


    manageapps.png

     

     

    2) Click "Browse for more apps" and then search for RADIUS. Install the "RADIUS Authentication" app by Luke Murphey.

    rasdius-auth.PNG

     

     

    3) Follow the steps and restart Splunk. Once Splunk restarts, it will ask you to set up the app.

     

    splunk-1.png

     

     

    4) RADIUS Server Information

     

    Enter in your ClearPass server(s) and shared secrets.

     

    If you wish to change the default identifier (Splunk), be sure to update this value in your service for NAS-Identifier.

     

    Under role assignments, enter "27389" for the Vendor Code and "1" for the attribute ID.

     

    If you'd like Splunk to assign a default role if one is not returned from ClearPass, specify it in the box.

     

    When finished, click Save at the bottom right.

     

    splunk-4.png

     

     

     

     

    That's it!

     

    Log out of Splunk (or fire up another browser) and log in with your network credentials!

     

    splunk-7.png

     

     

    splunk-6.png

     

    request-ouput.PNG

    Attachment(s)

    zip
    Splunk-ClearPass-MGMT.zip   2 KB 1 version