Configuring Cisco ACS¶
Add the Splunk server to your Network Resources:¶
Network Resources > Network Device Groups > Network Devices and AAA Clients. Click on Create button. Fill in "Name" and "Description" field. We use Location to logically group devices, Device Type is also an option. Define IP address(es) in "Single IP Address" or "IP Subnets". Tick the RADIUS checkbox and define the "Shared Secret" field. Enter the key used for authentication.
Defining roles (to use RADIUS to assign roles):¶
If you intend to use roles, set the VSA (Vendor Specific Attributes) properly (ignore 2 paragraphs if you don't need roles).
System Administration > Configuration > Dictionaries > Protocols > RADIUS > RADIUS VSA (click on name to get listing & create button). Click on "Create". Define "Splunk" as "Name", set "27389" as "Vendor ID". Click on "Submit" to save. Click on "Splunk" in the list on the left panel (below RADIUS VSA). In Splunk VSA, click on "Create". Set "SplunkRole" as "Attribute" value, set "Vendor Attribute ID" to 1. Set "Attribute Type" to "String".
Define an Authorization Profile:¶
Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles. Click on the "Create" button. Define "Name" and "Description". Create an entry for each role you require. In the RADIUS Attribute tab, set "Dictionary Type" to "RADIUS-Splunk". Select the RADIUS Attribute (click on "Select" button). Select "SplunkRole" from the list and click "OK". Set a "Static Attribute Value". Click on the "Add" button to add the attributes to the list (IMPORTANT!! EASILY OVERLOOKED). Click on "Submit" to save the Authorization Profiles.
Set Access Policy:¶
Access Policies > Access Services. Click on title "Access Services". Click on the "Create" button. Set "Name" to Splunk". Create a new "User Selected User Type" based on "Network Access". Leave default options. Select the following protocols (not tested with less): Process Host Lookup, Allow PAP/ASCII, Allow CHAP, Allow MS-CHAPv1, Allow MS-CHAPv2.
Click on "Service Selection Rules" and click on "Create" button. Set "Name" to "Splunk". Set the "Protocol" to RADIUS, set the NDG:Location to "All Location:Whichever group you assigned". Select "Splunk" as Results. Customize the Service Selection Policy if needed by clicking on the Customize button in the lower right corner.
From the Access Services list, expand the Splunk policy and open "Identity". Select the Identity Source. Typically set it to Internal Users. Open the Authorization. Click on the "Create" button. For the conditions, select proper Identity Group. We have "Internal Users:UserIdentityGroup in All Groups:Administrator Users". In the Results, set the Authorization Profiles to "Splunk Admin" or "Splunk User" to define the proper profile.
Save changes by clicking on "Save Changes".
In Splunk, set the RADIUS Server/Password/Secret to the RADIUS shared secret you configured earlier. You can use "Splunk" as identifier. Use the correct Attribute ID and the Vendor Code (1 and 27389 respectively).