Rublon

Secure Remote Access

By

Last updated on February 6, 2025

Overview of MFA for Barracuda SSL VPN

Multi-Factor Authentication (MFA) for Barracuda SSL VPN is an extra layer of security that requires users to provide two authentication factors to gain access to Barracuda SSL VPN The first factor involves the user entering their Active Directory / RADIUS username and password. After completing the first factor, the user undergoes secondary authentication using one of the available authentication methods, such as Mobile Push or Email Link. After completing both factors, the user gains access to the resource. Enabling Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) for Barracuda SSL VPN prevents hackers from gaining access to resources even if they know the user’s login credentials.

Supported Authentication Methods

Authentication Method Supported Comments
Mobile Push N/A
WebAuthn/U2F Security Key N/A
Passcode N/A
SMS Passcode N/A
SMS Link N/A
Phone Call N/A
QR Code N/A
Email Link N/A
YubiKey OTP Security Key N/A

Before you start

You need to install and configure Rublon Authentication Proxy itself before configuring Barracuda to work with it. Read Rublon Authentication Proxy and follow the steps in the Installation and Configuration sections. Afterward, follow the appropriate Configuration section in this document.

Ensure that you have properly set up your authentication source, that is an external Identity Provider (IdP) like FreeRADIUS.

Configuration of MFA for Barracuda SSL VPN

1. Log in to Barracuda VPN interface.

2. Go to Users → External Authentication.

3. Select RADIUS. Fill in the form. Refer to the following image and table to learn more about the settings. Click Save to save the changes.

Server AddressEnter the IP of your Rublon Authentication Proxy server.
Server PortEnter the port of your Rublon Authentication Proxy server.
Server KeyEnter the Rublon Authentication Proxy server Secret.
Group AttributeKeep the default value.
Group Attribute DelimiterKeep the default value.
NAS IDIf your RADIUS server requires NAS credentials to be set, enter the NAS identifier.
NAS IP AddressIf your RADIUS server requires NAS credentials to be set, enter the NAS IP Address.
NAS IP PortIf your RADIUS server requires NAS credentials to be set, enter the NAS IP Port.
Group Information FromSet to blank/empty.

4. Go to VPN → SSL VPN.

5. Navigate to the Authentication section. Select RADIUS in User Authentication. Click Save.

6. Your configuration is now complete. Users have Rublon 2FA enabled when logging in to your VPN.

Log in to Barracuda using MFA for Barracuda SSL VPN

1. Run CudaLaunch.

2. Provide the hostname of the server you want to connect to.

3. Provide your username and password. Click Log in.

4. Check your mailbox for an email from Rublon. Open the email, and click Sign In.

5. You will be successfully logged in to the VPN.

Troubleshooting

Blast-RADIUS Vulnerability Protection

RADIUS integrations may enforce the validation of the Message-Authenticator RADIUS attribute as part of their mitigations for the Blast-RADIUS vulnerability.

The Rublon Authentication Proxy supports the Message-Authenticator attribute starting from version 3.5.3. The Rublon Auth Proxy uses the force_message_authenticator option in the configuration file (set to true by default) to safeguard against Blast-RADIUS attacks.

If you are experiencing issues with your RADIUS integration, ensure that the force_message_authenticator is set to true.

If you are using Rublon Authentication Proxy 3.5.2 or older, update to the newest available version.

Helper User Scheme is known to block connections to the Rublon API, so turn it off if you are experiencing connection issues.

If you encounter any issues with your Rublon integration, please contact Rublon Support.

Related Posts

Rublon Authentication Proxy

Rublon Authentication Proxy – Integrations