Multi-Factor Authentication (2FA/MFA) for Barracuda Client-To-Site VPN

Last updated on February 6, 2025

Overview of MFA for Barracuda Client-To-Site VPN

Multi-Factor Authentication (MFA) for Barracuda Client-To-Site VPN adds an additional layer of security which requires users to provide two proofs of identity before they can gain access. First, they must enter a valid Active Directory/RADIUS username and password. Next, they must complete a secondary authentication process using an authentication method, such as Mobile Push or Email Link. Once both factors have been successfully completed, the user is granted access to the resource. Implementing Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) for the Barracuda Client-To-Site VPN makes it much harder for hackers to gain access to resources even if they have login credentials.

Supported Authentication Methods

Authentication Method	Supported	Comments
Mobile Push	✔	N/A
WebAuthn/U2F Security Key	–	N/A
Passcode	✔	N/A
SMS Passcode	–	N/A
SMS Link	✔	N/A
Phone Call	✔	N/A
QR Code	–	N/A
Email Link	✔	N/A
YubiKey OTP Security Key	✔	N/A

Before you start

You need to install and configure Rublon Authentication Proxy itself before configuring Barracuda to work with it. Read Rublon Authentication Proxy and follow the steps in Installation and Configuration sections. Afterward, follow the appropriate Configuration section in this document.

Ensure that you have properly set up your authentication source, that is an external Identity Provider (IdP) like FreeRADIUS.

Configuration of MFA for Barracuda Client-To-Site VPN

1. Log in to Barracuda VPN interface.

2. Go to Users → External Authentication.

3. Select RADIUS. Fill in the form. Refer to the following image and table to learn more about the settings. Click Save to save the changes.

Server Address	Enter the IP of your Rublon Authentication Proxy server.
Server Port	Enter the port of your Rublon Authentication Proxy server.
Server Key	Enter the Rublon Authentication Proxy server Secret.
Group Attribute	Keep the default value.
Group Attribute Delimiter	Keep the default value.
NAS ID	If your RADIUS server requires NAS credentials to be set, enter the NAS identifier.
NAS IP Address	If your RADIUS server requires NAS credentials to be set, enter the NAS IP Address.
NAS IP Port	If your RADIUS server requires NAS credentials to be set, enter the NAS IP Port.
Group Information From	Set to MSAD.

4. Go to VPN → Client-To-Site VPN.

5. Navigate to the Settings section. Select RADIUS in User Authentication. Click Save to save the change.

6. Your configuration is now complete. Users have Rublon 2FA enabled when logging in to your VPN.

Log in to Barracuda using MFA for Barracuda Client-To-Site VPN

1. Run Barracuda Network Access Client.

2. Create a new profile depending on your needs, or use an already existing one.

3. Right-click your profile and select Connect.

4. Provide your username and password, and click Connect.

5. Check your mailbox for an email from Rublon. Open the email, and click Sign In.

6. You will be successfully logged in to the VPN.

Troubleshooting

Helper User Scheme is known to block connections to the Rublon API, so turn it off if you are experiencing connection issues.

If you encounter any issues with your Rublon integration, please contact Rublon Support.

Related Posts

Rublon Authentication Proxy

Rublon Authentication Proxy – Integrations