Rublon

Secure Remote Access

By

Last updated on December 17, 2025

Overview

The purpose of this document is to enable Rublon Two-Factor Authentication (2FA) for users logging in to Kemp LoadMaster. In order to achieve that using RADIUS (e.g. FreeRADIUS) as your authentication source, you have to use Rublon Authentication Proxy, an on-premise RADIUS proxy server, which allows you to integrate Rublon with Kemp LoadMaster to add Two-Factor Authentication to your logins.

Supported Authentication Methods

Authentication Method Supported Comments
Mobile Push N/A
FIDO N/A
Passcode N/A
SMS Passcode N/A
SMS Link N/A
Phone Call N/A
QR Code N/A
Email Link N/A
YubiKey OTP N/A
RFID N/A

Before You Start

Before configuring Rublon MFA for Kemp LoadMaster:

  • Ensure you have prepared all required components.
  • Create an application in the Rublon Admin Console.
  • Install the Rublon Authenticator mobile app.

Required Components

1. User Identity Provider (IdP) – You need an external Identity Provider, such as FreeRADIUS or Microsoft NPS.

2. Rublon Authentication Proxy – Install the Rublon Authentication Proxy if you have not already, and configure the Rublon Authentication Proxy as an RADIUS proxy.

3. Kemp LoadMaster – A properly installed and configured Kemp LoadMaster. Tested on Kemp LoadMaster LX-25.

Create an Application in the Rublon Admin Console

1. Sign up for the Rublon Admin Console. Here’s how.

2. In the Rublon Admin Console, go to the Applications tab and click Add Application

3. Enter a name for your application (e.g., Kemp) and then set the type to Rublon Authentication Proxy.

4. Click Save to add the new application in the Rublon Admin Console.

5. Copy the values of System Token and Secret Key of the newly created application. You will need them later.

Install Rublon Authenticator

Some end-users may use the Rublon Authenticator mobile app. So, as a person configuring MFA for Kemp LoadMaster, we highly recommend you install the Rublon Authenticator mobile app, too. Thanks to that, you will be able to test MFA for Kemp LoadMaster via Mobile Push.

Download the Rublon Authenticator for:

Configuration

Rublon Authentication Proxy

1. Edit the Rublon Auth Proxy configuration file and paste the previously copied values of System Token and Secret Key in system_token and secret_key, respectively.

2. Config example file in YAML:

global:
  secret_source: plain  # Options: plain, env, vault

log:
  debug: false

rublon:
  api_server: https://core.rublon.net
  system_token: YOURSYSTEMTOKEN
  secret_key: YOURSECRETKEY

proxy_servers:
  - name: RADIUS-Proxy
    type: RADIUS
    radius_secret: YOURRADIUSSECRET
    ip: 0.0.0.0
    port: 1812
    mode: standard
    auth_source: LDAP_SOURCE_1
    auth_method: push,email
    cert_path: /etc/ssl/certs/ca.crt
    pkey_path: /etc/ssl/certs/key.pem
    force_message_authenticator: false

auth_sources:
- name: LDAP_SOURCE_1
  type: LDAP
  ip: 172.16.0.127
  port: 636
  transport_type: ssl
  search_dn: dc=example,dc=org
  access_user_dn: cn=admin,dc=example,dc=org
  access_user_password: CHANGE_ME
  ca_certs_dir_path: /etc/ssl/certs/

See: How to set up LDAPS certificates in the Rublon Authentication Proxy?

3. (Optional) If you want to use the Challenge Mode, change:

   mode: standard

To:

   mode: challenge

Then, you can set the message displayed on the challenge request:

challenge_request: “Enter Your MFA Code”

If you do not set challenge_request in the config file, the default message will be used instead, as defined in the Rublon Authentication Proxy documentation.

Kemp LoadMaster

1. Open the Kemp admin console.

2. Navigate to the menu located on the left, and select Add New under the Virtual Services section.

3. Specify the parameters for your Virtual Service, and click the Add this Virtual Service button. If you would like to learn more, please visit this web page.

4. Navigate to Virtual Services → Manage SSO, and fill in the Add new Client Side Configuration field with the name of your new SSO configuration. Afterwards, click Add to create a new Client Side Configuration.

5. Select RADIUS in the Authentication Protocol drop-down list.

6. Enter the address of your Rublon Authentication Proxy in the RADIUS Server(s) field. Confirm by clicking the Set RADIUS Server(s) button.

7. Enter the RADIUS Secret set in Rublon Authentication Proxy as the RADIUS Shared Secret, and confirm by pressing the Set Shared Secret button.

8. Set Logon Format (Phase 1 RADIUS) to Username Only.

9. You can optionally enable Send NAS Identifier. It’s disabled by default. If you enable it, a NAS identifier string is sent to the RADIUS server. This string is set to hostname by default. If you check Send NAS Identifier, a RADIUS NAS Identifier field will appear, and you will be given an opportunity to specify the value to be used as the NAS identifier. If the value is not specified, the hostname is used.

Other settings depend on your preferences. If you would like to learn more, please visit this page.

10. Navigate to View/Modify Services, and click the Modify button. Extend ESP options.

11. Check Enable ESP, and fill in the required data.

12. Set Client Authentication Mode to Form Based. Set the SSO Domain you have created before, and finally specify the Allowed Virtual Hosts, Allowed Virtual Directories and Server Authentication Mode according to your configuration. If you would like to learn more about the ESP configuration, please visit this page.

13. Your configuration is complete. Your users have 2FA enabled when logging in to their Virtual Service.

Log in to Kemp LoadMaster with Rublon 2FA

1. Initiate the Kemp Virtual Service and supply LDAP credentials.

2. Let’s assume you have configured your Rublon Authentication Proxy to use Mobile Push as the authentication method (auth_method is set to push). After providing your login and password, Rublon will send a Mobile Push authentication request to your phone. Tap APPROVE.

3. After completing MFA, you will be redirected to the virtual service.

4. An active session will appear in the Domain Users Management section of the Kemp LoadMaster Admin Interface.

Troubleshooting

Blast-RADIUS Vulnerability Protection

RADIUS integrations may enforce the validation of the Message-Authenticator RADIUS attribute as part of their mitigations for the Blast-RADIUS vulnerability.

The Rublon Authentication Proxy supports the Message-Authenticator attribute starting from version 3.5.3. The Rublon Auth Proxy uses the force_message_authenticator option in the configuration file (set to true by default) to safeguard against Blast-RADIUS attacks.

If you are experiencing issues with your RADIUS integration, ensure that the force_message_authenticator is set to true.

If you are using Rublon Authentication Proxy 3.5.2 or older, update to the newest available version.

If you encounter any issues with your Rublon integration, please contact Rublon Support.

Related Posts

Rublon Authentication Proxy

Rublon Authentication Proxy – Integrations