Rublon

Secure Remote Access

By

Last updated on August 21, 2024

Note

This is archived documentation. There is no need to perform any of the steps described in this documentation anymore.

For the most up-to-date instructions on configuring the Rublon Authentication Proxy for a RADIUS server, please refer to the newest version of the documentation.

Overview

You have to prepare your RADIUS server if you would like to use it as the identity provider (IdP) for Rublon Authentication Proxy. After successful authentication, Rublon Authentication Proxy expects to find the user’s email address in the Access-Accept response packet. This email address is necessary to perform 2FA.

If you are using email addresses as your username attribute, ignore this documentation and navigate to the Configuration section in the Rublon Authentication Proxy documentation.

This documentation applies to the FreeRADIUS server with daloRADIUS UI, as FreeRADIUS alone does not offer a simple way to add email addresses to the users. If you do not use daloRADIUS, you may need to change the SQL statement in the Edit the default file section.

This documentation describes only the server-side configuration. Rublon Authentication Proxy has its own RADIUS dictionary (in the lib/resources directory) and by default understands attributes that are added here.

Configuration

This section briefly describes the configuration process for FreeRADIUS.

Add Rublon vendor to the dictionary

To add Rublon specific attributes, use our dictionary file, or append its content to the dictionary file using the instructions below.

Open the dictionary file located under the path: /etc/freeradius and append the following lines at the end:

VENDOR          Rublon          56247

BEGIN-VENDOR Rublon
ATTRIBUTE       Rublon-Email            1       string
END-VENDOR Rublon

This ensures RADIUS understands Rublon’s attribute and can send it in the response.

Edit the default file

The default file is located under the path: /etc/freeradius/sites-available. Add the following lines under the post-auth section:

post-auth {
…
if (Response-Packet-Type == Access-Accept) {
    update reply {
        Rublon-Email = "%{sql:SELECT email FROM userinfo WHERE username='%{User-Name}';}"
    }
}
…
}

This causes the RADIUS server to return the user’s email in the Access-Accept response packet within the Rublon-Email attribute.

Test

After you have updated the preceding files, perform a test to make sure RADIUS returns a valid response.

To test the response, use the radtest command:

radtest user1 testpwd localhost 18128 testing123

where:

user1 is the username
testpwd is the password
localhost is the IP address to send request to
18128 is the NAS-Port
testing123 is the RADIUS secret

The result should look similar to this:

Sending Access-Request of id X to 127.0.0.1 port 1812
User-Name = "user1"
User-Password = "testpwd"
NAS-IP-Address = 10.0.2.15
NAS-Port = 18128
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=199, length=41
 Rublon-Email = "user1@example.com"

Make sure the Rublon-Email attribute is returned. It must be the user’s email only.

Troubleshooting

If you encounter any issues with your Rublon integration, please contact Rublon Support.

Related Posts

Rublon Authentication Proxy