Rublon

Secure Remote Access

By

Last updated on August 5, 2025

The Rublon Authentication Proxy can work as an LDAP Proxy Server or a RADIUS Proxy Server. In this article, we will walk you through the configuration of the Auth Proxy as a RADIUS Proxy Server and explain it step by step so that you can enable sophisticated MFA for RADIUS. We will use the .yaml format for the configuration file.

We will configure a single RADIUS Proxy Server that connects to a single RADIUS authentication source. For this article, our RADIUS authentication source will be FreeRADIUS. Note that you can also use an LDAP authentication source like Active Directory together with the RADIUS proxy server configuration. However, this will force you to use the PAP communication protocol, which is not recommended.

Haven’t Started With Rublon MFA Yet?

Protect your RADIUS and Active Directory users from hackers with our robust multi-factor authentication. Integrate with any VPN via RADIUS or LDAP authentication protocols.

Start Your Free Trial (No Credit Card Required)

Start From the Configuration Template

Download and install the Rublon Authentication Proxy if you haven’t already.

In the config/examples directory (for both Windows and Linux) you can find the config.template.yaml file. Let’s use it.

 log:
  debug: false

rublon:
  api_server: https://core.rublon.net
  system_token:
  secret_key:

proxy_servers:
  - name: RADIUS-Proxy
    type: RADIUS
    radius_secret: secret_to_communicate_with_the_proxy
    ip:
    port: 1812
    mode: standard
    auth_source: RADIUS_SOURCE_1
    auth_method: email
  - name: LDAP-Proxy
    type: LDAP
    ip:
    port: 389
    auth_source: LDAP_SOURCE_1
    auth_method: email

auth_sources:
  - name: LDAP_SOURCE_1
    type: LDAP
    ip:
    port: 389
    transport_type: plain
    search_dn:
    access_user_dn:
    access_user_password:
  - name: RADIUS_SOURCE_1
    type: RADIUS
    ip:
    port: 1812
    radius_secret: secret_to_communicate_with_the_auth_source

As you can see, the template provides options for both LDAP and RADIUS proxy. Let’s remove the LDAP-related fields, as we won’t need them. Let’s also temporarily set the debug option to “true”.

 log:
  debug: true

rublon:
  api_server: https://core.rublon.net
  system_token:
  secret_key:

proxy_servers:
  - name: RADIUS-Proxy
    type: RADIUS
    radius_secret: secret_to_communicate_with_the_proxy
    ip:
    port: 1812
    mode: standard
    auth_source: RADIUS_SOURCE_1
    auth_method: email

auth_sources:
  - name: RADIUS_SOURCE_1
    type: RADIUS
    ip:
    port: 1812
    radius_secret: secret_to_communicate_with_the_auth_source

Now we have the basic template that we can build upon.

MFA For RADIUS

Interested? Try our robust multi-factor authentication for 30 days for free and see how simple it is.

Start Free Trial No Credit Card Required

Configuring the rublon and global Sections

To get the API credentials required for the rublon section, sign in to the Rublon Admin Console and add a new application of type Rublon Authentication Proxy. Then, update your rublon section with the values of System Token and Secret Key copied from the Admin Console. It should look something like this:

rublon:
  api_server: https://core.rublon.net
  system_token: YOURTOKEN
  secret_key: yoursecret

Note: Starting with version 3.8.0, you can store Rublon Authentication Proxy secrets in OS environment variables by setting the secret_source option to env in the global section of the config. For more information, refer to Configuring the Rublon Authentication Proxy Secret Source.

Note: You can define more than one rublon section. For more information, refer to the Auth Proxy documentation on the rublon section.

Be aware that when users log in for the first time, they will not have an email address associated with their account. When the default Automatic enrollment type is set in the Admin Console, users will be added to the Users tab during the first login, but will not have an email address assigned to their profile, which is required to perform Rublon MFA. You will have to import users from CSV or manually set the users’ email addresses.

Configuring the RADIUS Authentication Source

Let’s have a look at the current auth_sources section:

auth_sources:
  - name: RADIUS_SOURCE_1
    type: RADIUS
    ip:
    port: 1812
    radius_secret: secret_to_communicate_with_the_auth_source

You are almost good to go. There are only two things you must do:

  1. Enter the IP address of your RADIUS server (e.g., FreeRADIUS) in the ip option.
  2. Enter a strong RADIUS secret in the radius_secret option. This the RADIUS secret that will be used when communicating with FreeRADIUS, so both applications must have the same RADIUS secret. We recommend using a password-generating tool to generate a strong secret.

This is it for the required options. There are a few other optional options you can set in this section:

  • You can set timeout and retries. If you don’t, default values.
  • If you wish to use a non-PAP protocol, this is possible by proxying requests to your RADIUS server using the proxy_requests: true option. We strongly recommend you use a non-PAP protocol like EAP-MS-CHAPv2 for greater security.
  • You can also set nas_ip_address if needed.
  • You can read more about each option in the Rublon Authentication Proxy documentation.

We will not use any of the preceding in this basic tutorial, so the auth_sources section now looks like this:

auth_sources:
  - name: RADIUS_SOURCE_1
    type: RADIUS
    ip: 10.0.2.0
    port: 1812
    radius_secret: 7iWX6XjVrsI0iVi

Get started by signing up for a Free 30-Day Rublon Trial →

Configuring the RADIUS Proxy Server

Our current proxy_servers section in the configuration looks like this:

proxy_servers:
  - name: RADIUS-Proxy
    type: RADIUS
    radius_secret: secret_to_communicate_with_the_proxy
    ip:
    port: 1812
    mode: standard
    auth_source: RADIUS_SOURCE_1
    auth_method: email

Here’s a step-by-step instruction on what to do:

  1. Ensure the name is unique. However, if this is the only proxy server you defined, its name is unique by default.
  2. Ensure type is set to RADIUS.
  3. Generate and enter a strong radius_secret. This is the RADIUS secret that will be used when communicating with the integrated application (e.g., your VPN), so both applications must have the same RADIUS secret. We recommend a different secret from the one you set in the auth_sources section.
  4. Set the IP address the Rublon Authentication Proxy will be listening on in the ip option.
  5. Keep the default port or change it if needed.
  6. Pick the mode you want to use. For most use cases, it is sufficient to keep the standard mode. You can learn more in Rublon Authentication Proxy RADIUS Modes Explained.
  7. Ensure the name set in the auth_source option matches the name you defined in the auth_sources section.
  8. Select the auth_method you wish to use.
  9. You can read more about each option in the Rublon Authentication Proxy documentation.

There are some other optional options that you can (but do not have to) use:

  • Add options use_append_mode & append_mode_separator to enable the Append Mode.
  • Add fail_mode: deny if you want to deny users when connection issues with a Rublon server occur. We suggest configuring this option only after you have completed setting up the Auth Proxy and verified it works properly.
  • Add client_ip_attr and radius_class_attr if required by your integrated application.

We will not use any of the preceding in this basic tutorial, so the proxy_servers section now looks like this:

proxy_servers:
  - name: RADIUS-Proxy
    type: RADIUS
    radius_secret: jH4SMPBceRFi19Z
    ip: 192.168.1.13
    port: 1812
    mode: standard
    auth_source: RADIUS_SOURCE_1
    auth_method: email

The Configuration File We Ended Up With

log:
  debug: true

rublon:
  api_server: https://core.rublon.net
  system_token: YOURTOKEN
  secret_key: yoursecret

proxy_servers:
  - name: RADIUS-Proxy
    type: RADIUS
    radius_secret: jH4SMPBceRFi19Z
    ip: 192.168.1.13
    port: 1812
    mode: standard
    auth_source: RADIUS_SOURCE_1
    auth_method: email

auth_sources:
  - name: RADIUS_SOURCE_1
    type: RADIUS
    ip: 10.0.2.0
    port: 1812
    radius_secret: 7iWX6XjVrsI0iVi

Running and Testing

After the configuration is complete, let’s start the Rublon Authentication Proxy and see if it’s working. 

Use whatever software you try to integrate with. In our case, we will use NTRadPing.

If you wish to learn how to use NTRadPing, refer to our article on this:

We sent a request and received an Email Link. After finishing MFA authentication, we got a successful response in the RADIUS Server reply text field.

Additionally, a message in the rublonauthproxy.log file confirms our test’s success.

Rublon: User: test (test@rublon.com) has confirmed their identity using 2FA. Access granted.

Summary

The Rublon Authentication Proxy can be configured as a RADIUS Proxy Server, enabling secure authentication via a RADIUS authentication source like FreeRADIUS. This guide walked you through setting up the proxy using a YAML configuration file. Starting with a provided template, we customized the proxy_servers and auth_sources sections to connect the proxy to the RADIUS authentication source. We then tested the setup using NTRadPing, verifying that the proxy successfully processes authentication requests, confirms identities via MFA, and logs successful responses.