Rublon

Secure Remote Access

By

Last updated on July 8, 2025

Multi-Factor Authentication (MFA) for Cisco RV Series VPN is an additional layer of security to protect your VPN from cybercriminals. In addition to the regular login and password credentials, users must also complete a second authentication step. This secondary authentication involves the user receiving a Mobile Push authentication request on their mobile device and approving it before being granted access to the VPN. Thanks to Cisco RV Series VPN MFA, even if a cybercriminal manages to get hold of your password, they will still be unable to connect to the VPN.

Overview of MFA for Cisco RV Series

Rublon Multi-Factor Authentication for Cisco RV Series VPN allows you to add an extra layer of security to your Cisco RV Series VPN logins. MFA for Cisco RV Series VPN is done using the Rublon Authentication Proxy.

Rublon MFA for Cisco RV Series VPN enables Multi-Factor Authentication (MFA) / Two-Factor Authentication (2FA) during Cisco VPN connections via SSL, PPTP, and L2TP. If a user successfully enters the correct username and password, they will be required to complete an additional authentication method. If the user cannot complete secondary authentication, Rublon will deny access, thus preventing any potential intruder from gaining access.

This document applies to the following Cisco RV Series router models:

  • RV160, RV160W
  • RV260, RV260P, RV260W
  • RV320
  • RV325
  • RV340, RV340W
  • RV345, RV345P
  • Cisco RVL200 4-Port SSL/IPSec VPN Router (= Linksys 4-Port SSL/IPSec VPN Router)

Supported Authentication Methods

Authentication Method Supported Comments
Mobile Push N/A
WebAuthn/U2F Security Key N/A
Passcode N/A
SMS Passcode N/A
SMS Link N/A
Phone Call N/A
QR Code N/A
Email Link N/A
YubiKey OTP Security Key N/A

Before You Start Configuring MFA for Cisco RV Series VPN

Before configuring Rublon MFA for Cisco RV Series VPN:

  • Ensure you have prepared all required components.
  • Create an application in the Rublon Admin Console.
  • Install the Rublon Authenticator mobile app.

Required Components

1. User Identity Provider (IdP) – You need an external Identity Provider, such as Microsoft Active Directory, OpenLDAP, or FreeRADIUS.

2. Rublon Authentication Proxy – Install the Rublon Authentication Proxy if you have not already.

3. Cisco RV Series Router – You need a Cisco RV Series router with firmware 1.0.03.21 or higher. This is because only version 1.0.03.21 and higher allows you to configure Timeout and No. of Retries parameters that are required for Rublon MFA to work correctly.

Create an Application in the Rublon Admin Console

1. Sign up for the Rublon Admin Console. Here’s how.

2. In the Rublon Admin Console, go to the Applications tab and click Add Application

3. Enter a name for your application (e.g., Cisco RV Series VPN) and then set the type to Rublon Authentication Proxy.

4. Click Save to add the new application in the Rublon Admin Console.

5. Copy and save the values of the System Token and Secret Key. You are going to need these values later.

Install Rublon Authenticator

Some end-users will install the Rublon Authenticator mobile app. So, as a person configuring MFA for Cisco RV Series VPN, we highly recommend you install the Rublon Authenticator mobile app, too. Thanks to that, you will be able to test MFA for Cisco RV Series via Mobile Push.

Download the Rublon Authenticator for:

Configuring Multi-Factor Authentication (MFA) for Cisco RV Series VPN

Follow the following instructions to set up MFA for Cisco RV Series VPN.

Configuring Rublon Authentication Proxy as RADIUS Server

1. Log in to the Cisco RV Series admin panel.

2. Go to System Configuration → User Accounts.

Image showing User Accounts view in Cisco RV340 admin panel

3. Scroll down to the Remote Authentication Service section, check RADIUS and click the edit icon.

Image showing editing RADIUS remote authentication service

4. Fill in the form. Refer to the following image and table.

Image showing adding a new domain
Primary ServerEnter the IP of your Rublon Authentication Proxy server.
PortEnter the port of your Rublon Authentication Proxy server.

Default: 1812
Pre-shared KeyEnter the RADIUS_SECRET you set in the Rublon Authentication Proxy’s config file.
Confirm Pre-Shared KeyReenter the RADIUS_SECRET.
Radius Timeout60

If experiencing issues, increase to 90.
No. Of Retries3

5. Click Apply to save the changes. After adding a new RADIUS server, you will be redirected to the User Accounts tab. Stay on this page.

Configuring RADIUS as the Main Authentication Source for VPN Modules

1. On the User Accounts tab, scroll all the way down to the Service Auth Sequence section and uncheck Use Default next to each desired service in the list.

Image showing configuring RADIUS as the main authentication source for VPN modules

2. Select RADIUS next to each desired service (AnyConnect SSL VPN, PPTP Server, L2TP Server) in the Customize: Primary column.

Note

You can also set RADIUS for Web Login/NETCONF/RESTCONF. This will enable Rublon MFA for Cisco RV Series Admin Panel logins.

However, do it at your own risk.  If Cisco loses connection to Rublon Authentication Proxy, you will not be able to log in to the device. Unfortunately, setting Local DB as a second source of authentication for Web Login does not work as it should in Cisco RV Series, which may cause issues when choosing to enable MFA on Cisco Admin Panel logins. This is an issue on the Cisco side.

Configuring a group for RADIUS_CLASS_ATTR

You must create a new User Group, assign it to a given VPN profile, and then include it in the Rublon Authentication Proxy configuration.

1. Go to System Configuration → User Groups and click the + (plus) sign to add a new group.

Image showing User Groups view in Cisco RV340 admin panel

2. Fill in the form. Refer to the following image and table.

Image showing creating a group in Cisco RV340 admin panel
Overview
Group Name Enter a name for your group, e.g., VPN_Users.
Local User Membership List If you want one or more local accounts to be members of this group, you can select them here.
Services
Web Login/NETCONF/RESTCONF Choose whether the members of the group you are creating should be able to log in to the Cisco RV Series Admin Panel and in what role.

Select Disabled if you do not want to enable Rublon MFA for Admin Panel logins.

Select Read Only to allow logging into the Cisco RV Series Admin Panel but not allow making configuration changes.

Select Administrator to allow logging into the Cisco RV Series Admin Panel and making configuration changes.

We recommend you disable MFA for Admin Panel logins.
Site to Site VPN Do not change anything.
EzVPN/3rd Party Do not change anything.
SSL VPN Select the appropriate SSL VPN profile from the Select a Profile list.
PPTP VPN Permit.
L2TP Permit.
802.1x Optional. You can leave it unchecked.

3. Click Apply to save the changes.

4. After creating the group on the Cisco RV Series, you have to include the name of that group in the Rublon Authentication Proxy configuration file’s RADIUS_CLASS_ATTR parameter inside the Servers section, e.g.,

"RADIUS_CLASS_ATTR": "VPN_Users",

Remember to restart the Rublon Authentication Proxy service for the change to take effect.

For more information, refer to the Rublon Authentication Proxy documentation.

Changing settings for L2TP VPN

The preceding configuration steps are enough for SSL VPN and PPTP modules. For L2TP, however, you need to create a new IPSec profile and assign it to L2TP. Again, this requirement is related to the characteristics of the Cisco RV Series itself and does not depend on Rublon.

1. Go to VPN → IPSec Profiles and click the + (plus) button to create a new IPSec profile.

Image showing IPSec Profiles view in Cisco RV340 admin panel

2. Fill in the form. Refer to the following image and table.

Image showing adding a new IPSec profile
Add a New IPSec Profile
Profile Name Enter a name for your profile, e.g., L2TP.
Keying Mode Auto
IKE Version IKEv1
Phase I Options
DH Group Group 2 – 1024 bit
Encryption 3DES
Authentication SHA1
SA Lifetime 28800
Phase I Options
Protocol Selection ESP
Encryption 3DES
Authentication SHA1
SA Lifetime 3600
Perfect Forward Secrecy Uncheck.

3. Click Apply to save the new profile.

4. Now, you need to point to the newly created IPSec profile in the L2TP settings. To do this, go to VPN → L2TP Server. Then, in the IPSec Profile dropdown, select the newly-created profile. Finally, confirm your selection with the Apply button.

Image showing the L2TP Server view in Cisco RV340 admin panel

Testing Multi-Factor Authentication (MFA) for Cisco RV Series VPN

Now that your configuration is complete, refer to the following testing sections to learn how to test your setup for SSL, PPTP, and L2TP VPN.

Testing MFA for Cisco RV Series SSL VPN – AnyConnect VPN Client

1. Run the Cisco AnyConnect VPN Client, select the connection, and click Connect.

Image showing Cisco AnyConnect Secure Mobility Client

2. Provide your login credentials and click OK.

3. Rublon will send a Mobile Push authentication request to your phone. Tap APPROVE.

Image showing a Mobile Push for Cisco RV340 SSL VPN received by a user

4. You will connect to the VPN.

Testing MFA for PPTP VPN and L2TP VPN

To test MFA for Cisco PPTP VPN and MFA for Cisco L2TP VPN, use the Windows VPN client or any other client that supports PPTP/L2TP. Note that you have to select the PAP protocol in the settings of the VPN profile if you are using the Windows VPN client.

How to Add and Configure a Cisco RV Series PPTP/L2TP VPN connection in Windows VPN

1. Go to Settings → Network & Internet → VPN → Add a VPN Connection and fill in the form. Refer to the following image and table.

Image showing adding a VPN connection in Windows
Connection nameSet a name for your VPN connection, e.g., Cisco VPN.
Server name or addressEnter the IP address or hostname of your Cisco server.
VPN TypeSet to PPTP or LT2P/IPSec with Pre-Shared Key depending on which one you are testing.
Type of sign-in infoSet to User name and password.
User name (optional)We recommend you enter your user name.If you do not specify the optional User name and Password when adding a new connection, you will be asked to provide the credentials every time you connect to the VPN. 
Password (optional)We recommend you enter your password.If you do not specify the optional User name and Password when adding a new connection, you will be asked to provide the credentials every time you connect to the VPN.
Remember my sign-in infoOptional. Check to save your user credentials.

2. Click Save to save your new VPN connection profile.

3. Edit the VPN connection and specify the authentication protocol.

Go to Control Panel → Network and Sharing Center and select Change adapter settings from the menu on the left.

4. Right-click the newly created VPN profile and select Properties.

5. A new window with properties for this connection will open.

6. Go to the Security tab and change Authentication to Allow these protocols. Then, check Unencrypted password (PAP).

Image showing editing a VPN profile in Windows

7. Click OK to save and confirm the changes.

Connecting to Cisco RV Series PPTP/L2TP VPN

1. Select your VPN connection and click Connect.

Image showing a newly-created VPN profile in Windows

2. If you have not set your user name and password while adding your VPN connection, a window will appear for you to provide your credentials. Provide your user name and password and click OK.

Image showing a Windows login prompt when connecting to VPN

3. Rublon will send a Mobile Push authentication request to your phone. Tap APPROVE.

Image showing a Mobile Push for Cisco RV340 PPTP VPN received by a user
Image showing a Mobile Push for Cisco RV340 L2TP VPN received by a user

Troubleshooting

Blast-RADIUS Vulnerability Protection

RADIUS integrations may enforce the validation of the Message-Authenticator RADIUS attribute as part of their mitigations for the Blast-RADIUS vulnerability.

The Rublon Authentication Proxy supports the Message-Authenticator attribute starting from version 3.5.3. The Rublon Auth Proxy uses the force_message_authenticator option in the configuration file (set to true by default) to safeguard against Blast-RADIUS attacks.

If you are experiencing issues with your RADIUS integration, ensure that the force_message_authenticator is set to true.

If you are using Rublon Authentication Proxy 3.5.2 or older, update to the newest available version.

If you encounter any issues with your Rublon integration, please contact Rublon Support.

Related Posts

Rublon Authentication Proxy

Rublon Authentication Proxy – Integrations

Multi-Factor Authentication (MFA) for Cisco VPN