Rublon

Secure Remote Access

By

Last updated on July 8, 2025

Multi-Factor Authentication (MFA) for EESM ForestSafe Privileged Password Management is an extra layer of security that provides an additional way to verify that only authorized users can log in to ForestSafe. EESM ForestSafe MFA requires users to complete both a primary authentication (login/password) and secondary authentication (Mobile Push) before granting them access, making it much more challenging for cybercriminals to access accounts even if they have obtained a user’s password.

Overview of MFA for ForestSafe Privileged Password Manager

Rublon Multi-Factor Authentication (MFA) for EESM ForestSafe allows you to add an extra layer of security to your EESM ForestSafe logins. MFA for EESM ForestSafe is done using the Rublon Authentication Proxy.

Rublon MFA for EESM ForestSafe enables Multi-Factor Authentication (MFA) / Two-Factor Authentication (2FA) during logins. Users who enter the correct username and password proceed to the secondary authentication method. Rublon will deny access if users cannot complete the extra authentication method, stopping potential intruders from gaining access.

Supported Authentication Methods

Authentication Method Supported Comments
Mobile Push N/A
WebAuthn/U2F Security Key N/A
Passcode N/A
SMS Passcode N/A
SMS Link N/A
Phone Call N/A
QR Code N/A
Email Link N/A
YubiKey OTP Security Key N/A

Before You Start Configuring MFA for EESM ForestSafe  Privileged Password Manager

Before configuring Rublon MFA for ForestSafe:

  • Ensure you have prepared all required components.
  • Create an application in the Rublon Admin Console.
  • Install the Rublon Authenticator mobile app.

Required Components

1. User Identity Provider (IdP) – You need an external Identity Provider, such as Microsoft Active Directory, OpenLDAP, or FreeRADIUS.

2. Rublon Authentication Proxy – Install the Rublon Authentication Proxy if you have not already.

3. EESM ForestSafe Express and EESM Agent – Ensure you have correctly configured EESM ForestSafe, especially that user logins work properly before deploying MFA for ForestSafe Privileged Password Manager

Create an Application in the Rublon Admin Console

1. Sign up for the Rublon Admin Console. Here’s how.

2. In the Rublon Admin Console, go to the Applications tab and click Add Application

3. Enter a name for your application (e.g., EESM ForestSafe) and then set the type to Rublon Authentication Proxy.

4. Click Save to add the new application in the Rublon Admin Console.

5. Copy and save the values of the System Token and Secret Key. You are going to need these values later.

Install Rublon Authenticator

Some end-users will install the Rublon Authenticator mobile app. So, as a person configuring MFA for EESM ForestSafe, we highly recommend you install the Rublon Authenticator mobile app, too. Thanks to that, you will be able to test MFA for EESM ForestSafe via Mobile Push.

Download the Rublon Authenticator for:

Configuring Multi-Factor Authentication (MFA) for EESM ForestSafe Privileged Password Manager

Follow the instructions below to set up Multi-Factor Authentication (MFA) for EESM ForestSafe Privileged Password Manager.

Enabling Append Mode in Rublon Authentication Proxy

In the config.json file, add the following two lines to one or more of your servers in the SERVERS section:

"USE_APPEND_MODE": true
"APPEND_MODE_SEPARATOR": ","

For more information about the config.json file configuration, see the Rublon Authentication Proxy documentation

Configuring RADIUS in ForestSafe

1. Run the ForestSafe Control Panel.

2. Select the Security tab and then click Two-Factor Authentication.

Image showing the ForestSafe Control Panel

3. In Type, select 2FA by Radius to activate the RADIUS 2FA tab.

4. Select the RADIUS 2FA tab and enter the following information:

  • RADIUS Server address and port SERVER:PORT – Enter the IP address and port of your Rublon Authentication Proxy server in the following form: IP:PORT, e.g., 10.0.9.18:1812.
  • RADIUS Server Secret – Enter the RADIUS_SECRET you set in the Rublon Authentication Proxy’s config file.
Image showing the ForestSafe Two-Factor Authentication window

5. Click Apply to save the changes you made.

Testing Multi-Factor Authentication (MFA) for EESM ForestSafe  Privileged Password Manager

1. Open the address of the EESM ForestSafe Agent in your browser, enter your login credentials, and click Sign in.

Image showing opening the address of the EESM ForestSafe Agent in the browser.

2. Enter your username again.

Image showing confirming the user's Radius User Name during ForestSafe MFA authentication.

3. Leave Verification Code empty.

Enter your password and the authentication method name in the User Password field according to the following form:

user_password,auth_method_name

Let’s choose Passcode for this example. In the User Password field, enter user_password,123456, and click Submit.

Image showing appending the Mobile Passcode (TOTP) from the Rublon Authenticator to the password during ForestSafe MFA login

Valid auth_method_name options are:

  • 123456 – a Passcode (6-digit TOTP code generated by Rublon Authenticator or a third-party app like Google Authenticator or Microsoft Authenticator)
  • 123456789 – a Bypass Code (9-digit code received from the administrator)
  • push – a Mobile Push is sent to their phone; requires Rublon Authenticator
  • email – an email message containing an Email Link is sent to their email address
  • smsLink – a text message containing an SMS Link
  • phoneCall – a Phone Call from Rublon
  • <YubiKey OTP code> – insert the YubiKey and press the button on the key; the OTP will be typed automatically and then Enter will be pressed

Note

There is no way to change RADIUS timeout on the ForestSafe side. This may lead to users not having enough time to complete secondary authentication using Mobile Push and Email Link methods. This is why we recommend using the Passcode method.

Note

If you log in with MFA for the first time, ForestSafe may prompt you to enter your password and authentication method name twice. After the successful first login, you will only need to enter this information once upon subsequent logins.

4. You will gain access to ForestSafe.

Image showing the Forest Safe Agent after successful MFA authentication.

Troubleshooting MFA for ForestSafe Privileged Password Manager

Blast-RADIUS Vulnerability Protection

RADIUS integrations may enforce the validation of the Message-Authenticator RADIUS attribute as part of their mitigations for the Blast-RADIUS vulnerability.

The Rublon Authentication Proxy supports the Message-Authenticator attribute starting from version 3.5.3. The Rublon Auth Proxy uses the force_message_authenticator option in the configuration file (set to true by default) to safeguard against Blast-RADIUS attacks.

If you are experiencing issues with your RADIUS integration, ensure that the force_message_authenticator is set to true.

If you are using Rublon Authentication Proxy 3.5.2 or older, update to the newest available version.

If you encounter any issues with your Rublon integration, please contact Rublon Support.

Related Posts

Rublon Authentication Proxy

Rublon Authentication Proxy – Integrations