Splunk cloud with MFA through Cisco ISE

John Mink · ‎08-09-2022

Hello!

So I have a bit of an interesting idea that I'm trying to accomplish. I currently have Splunk Cloud setup with an LDAP bind to my Azure AD setup and it works just fine. I also have a on-prem ISE setup that will force MFA for things like VPN and so forth through radius. What I'm trying to do is point splunk to my on-prem ISE setup and have it BIND with my ISE setup to see if I can't force MFA that way. The trouble that I'm running into is Binding splunk to ISE which I'm not sure if that is even possible. I'm sure there is a way of doing this through possible proxies or Network policy servers, but I'd like to use what I have and not have to resort to other applications like Duo and so forth. I know that path would work, but I'd like to try and use the path I already have setup. It might not even be possible, but I'm sure there is a way

The end goal here is to get Splunk (or other apps) to force MFA through ISE. Any thoughts?

Path:

user login --> Splunk (cloud) ---> ISE (on-prem) --> ISE to Azure (NPS proxy that prompts MFA) --> user logs in

urathod · ‎10-04-2022

Hello John,

For deploying Splunk-for-ISE Add-on & Cisco Identity Service Engine (ISE) please refer below link.

https://community.cisco.com/t5/security-knowledge-base/identity-services-engine-and-splunk-apps-configuration-guide/ta-p/3735814

You can also learn more about ISE through our live Ask the Experts (ATXs) session. Check out Cisco Endpoint Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-endpoint-security-ask-the-experts-resources/ta-p/4394492] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.

If this doesn't help please email me, I would like to setup a Webex to discuss your issues.

Thanks,

Ujjawal

urathod@cisco.com

Peter Koltl · ‎12-09-2022

Cisco ISE serves RADIUS requests. Splunk Cloud will not send RADIUS requests to your on-prem ISE.