Rublon

Secure Remote Access

By

Last updated on December 12, 2024

Overview

Rublon Authentication Proxy is an on-premises RADIUS and LDAP proxy server that allows you to enable Multi-Factor-Authentication (MFA/2FA) on any service that supports RADIUS or LDAP authentication protocol.

Supported systems:

  • Linux (tested on CentOS, Ubuntu)
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2022

Available authentication methods:

Minimum Hardware Requirements:

  • 1 CPU
  • 300 MB disk space
  • 4 GB RAM

How Does Rublon Authentication Proxy work?

After you deploy the Rublon Authentication Proxy as an on-premises service and set it up as a RADIUS or LDAP authentication source on one or more services (e.g. OpenVPN), the Rublon Authentication Proxy starts listening for any incoming authentication requests.

When you initiate login to one of the integrated services, the Rublon Authentication Proxy receives an Access-Request. Then, Rublon asks for your IdP credentials. If the user credentials you provided are correct, Rublon initiates the second step of authentication.

After you complete the second step of authentication, the Rublon Authentication Proxy returns an Access-Accept response, which concludes 2FA. The following diagram shows a simplified, successful authentication process:

The following diagram portrays a Rublon Authentication Proxy login flow along with the names of protocols used in each part of the transaction. 

A diagram portraying a Rublon Authentication Proxy login flow

Before You Start

Rublon Authentication Proxy is not an Identity Provider (IdP). Rublon Authentication Proxy is a RADIUS proxy server that pulls users from an external IdP. As a result, you have to use (or set up) an external IdP that manages your user identities.

List of tested and verified IdPs:

  • Active Directory
  • OpenLDAP 
  • FreeIPA
  • FreeRADIUS (standalone, full version)
  • Cisco ACS
  • Microsoft NPS (Network Policy Server)

Rublon requires a user’s email address to perform 2FA. Consequently, every user who wants to log in using the Rublon Authentication Proxy must have their email address assigned in the Rublon Admin Console. If the user has an email address added to their IdP account, Rublon will automatically add this email address to the Rublon Admin Console during user enrollment. Otherwise, you must manually add the user’s email address in the Admin Console.

Rublon Authentication Proxy does not support RADIUS Accounting. As a result, the Rublon Authentication Proxy does not listen on port 1813. Rublon may add support for RADIUS Accounting in the future. In the meantime, turn off RADIUS Accounting to avoid potential errors.

Install Rublon Authentication Proxy

You can install the Rublon Authentication Proxy on Linux or Windows.

Linux

  • If your Linux distribution uses glibc (GNU libc) version 2.29 or higher, download the rublonauthproxy package.
  • If your Linux distribution uses glibc (GNU libc) version 2.28 or lower, download the rublonauthproxy_py36 package.

More info about glibc version

We strongly recommend you install Rublon Authentication Proxy on a Linux distribution that uses glibc (GNU libc) version 2.29 or higher. However, if your Linux distribution uses glibc version lower than 2.29, you can download this Rublon Authentication Proxy package.

You can check your Linux distribution’s glibc version using rpm or ldd. Some of the known Linux distributions with glibc lower than 2.29:

• RHEL 6

• RHEL 7

• CentOS 7

• Debian 9

  1. Deploy rublonauthproxy-latest in the desired location on the server and unpack it (make sure to change the file name when copy-pasting the command below).
    tar -xzf rublonauthproxy-X.Y.Z.tgz
  2. Go to the unpacked folder:
    cd rublonauthproxy
  3. Create a service file:
    make service
  4. Move the created service file to /lib/systemd/system:
    mv rublon.service /lib/systemd/system
  5. Reload daemon services:
    systemctl daemon-reload
  6. Create a rublonauthproxy/config/config.json file based on config.example.json (you can use our minimal config file templates).

Windows

  1. Download the Rublon Authentication Proxy installer.
  2. Launch the installer with administrator rights and follow the instructions to complete the installation.
  3. Modify the Rublon Auth Proxy\config\config.json file based on config.example.json.

Note

Some antivirus software, such as CrowdStrike and Kaspersky, may interfere with the installation or operation of the Rublon Authentication Proxy. To avoid this problem, please add Auth Proxy to the list of exceptions or trusted applications in your antivirus settings.

Configure Rublon Authentication Proxy

The config.json configuration file must be located inside the rublonauthproxy/config directory. Use a proper JSON convention. All property names must be uppercase.

Example configuration templates are the easiest way to start a configuration. Find them at the bottom of this document. Templates are also located inside the rublonauthproxy/config directory after you unpack the Rublon Authentication Proxy.

If you would like to use RADIUS as an authentication source, you have to configure your RADIUS server first.

To obtain RUBLON_TOKEN and RUBLON_SECRET, sign in to the Rublon Admin Console and add a new application of type Rublon Authentication Proxy.

Note that after every change in the config.json file, you must restart the Rublon Authentication Proxy service for the changes to take effect.

Sections

IMPORTANT

Note that Rublon Authentication Proxy 3.0.0 does not support configurations from earlier versions. Upgrading to 3.0.0 will leave your config.json file in its original state, which may lead to configuration errors. To ensure a smooth transition, update the config.json file according to the new configuration format detailed in this section. For more information, take a look at the configuration example.

The Rublon Authentication Proxy configuration file consists of three sections: LOGGING, PROXIES, and AUTH_SOURCES.

The first section, LOGGING, is global and you can use it to configure logging settings.

The next two sections, PROXIES and AUTH_SOURCES, are both lists. 

  • Use the PROXIES section to define all proxy servers to be run with the Rublon Authentication Proxy (the Auth Proxy can simulate multiple proxies with one installation).
  • Use the AUTH_SOURCES section to define all Identity Providers (IdP) that will be used by proxy servers.

LOGGING SECTION

DEBUGWhether to log more verbose information to log files.

Default: false
REMOVE_LOGS_OLDER_THANLogs are stored within a day range. This number indicates how many log files should be kept. If the number of log files reaches this value, the oldest log file is overridden by the newest.

Default: 7

PROXY SECTION

You can define one or more proxies in this section.

  • GENERAL PROXY SETTINGS apply to all proxies, both RADIUS and LDAP
  • RADIUS PROXY SETTINGS apply only to proxies that are RADIUS proxies
  • LDAP PROXY SETTINGS apply only to proxies that are LDAP proxies
GENERAL PROXY SETTINGS

This subsection describes the possible options of a single element in the “PROXIES” array inside the configuration file. These options are related to both RADIUS and LDAP proxies. See the configuration example for more details.

NAMEName used for the PROXY
AUTH_PROTOCOLThe auth protocol that this proxy should simulate.
Possible values: “LDAP” or “RADIUS”

Default: “RADIUS”
IPThe IP address the proxy will be listening on. If left empty, the Rublon Authentication Proxy will be listening on 0.0.0.0.
PORTThe port the proxy will be listening on. If you configure more than one server, make sure to provide different ports for each server.

Default: 1812
RUBLON_APIRublon API host (https://core.rublon.net)
RUBLON_TOKENThe System Token of the application with type Rublon Authentication Proxy added in the Applications tab of the Rublon Admin Console
RUBLON_SECRETThe Secret Key of the application with type Rublon Authentication Proxy added in the Applications tab of the Rublon Admin Console
USE_HOSTS_WHITELISTIndicates whether to use the hosts IP whitelist. If set to true, the Rublon Authentication Proxy will drop all the packets from hosts not listed inside the config/hosts.json file.

Default: false
AUTH_TIMEOUTTime limit (in seconds) for a user to finish 2FA. After that time the login request will be rejected and the user will have to re-authenticate.

Default: 90
AUTH_SOURCEIndicates which authentication source should be used for primary authentication.
Use the names of auth sources configured in the AUTH_SOURCES section.

If you have more than one authentication source (e.g., two LDAP servers), add these authentication sources to the configuration file with names in the following form: “NAME_X” (e.g., “NAME_1” and “NAME_2”) and use these names in the “AUTH_SOURCE” property.

You can specify backup authentication sources by separating them by a comma, e.g., “NAME,NAME_2”.

See the configuration example for more details.
USE_APPEND_MODEAvailable only in “standard” mode. Allows the user to choose the authentication method by appending it to the password. More details can be found here.

Default: false
APPEND_MODE_SEPARATORIf “USE_APPEND_MODE” is set to true, AppendMode will use this value to extract the appended auth method used by the user.

Default: “,” (comma)
AUTH_METHODThe authentication method used for MFA. Valid options are “push” and “email”. You can provide an array of values here, e.g., “push,email”. In this case, if “push” fails, “email” will be used instead.

Default: “email”
FAIL_MODEEither “bypass” or “deny”. Indicates whether the user’s access should be bypassed or denied when connection issues with a Rublon server occur.

Default: “bypass”
USE_USERNAME_AS_EMAILAllows using the username as an email address. If the username is not a valid email address, Rublon Authentication Proxy fetches the email address from the authentication source.

Default: false
RADIUS PROXY SETTINGS

This subsection describes the possible additional options of a single element in the “PROXIES” array when the element is a RADIUS proxy. See the configuration example for more details.

CLIENT_IP_ATTRThe RADIUS attribute that contains an IP address, which will be displayed during the user authentication process, e.g. “NAS-IP-Address”. If this attribute is not found within the request authentication packet, the IP address found in the UDP datagram will be used. It will usually be a local IP address. Case-sensitive.

Default: “Calling-Station-Id”
RADIUS_SECRETThe RADIUS secret that services will use to communicate with Rublon Authentication Proxy.

Note that even if you use LDAP as your authentication source, you still need to set the RADIUS_SECRET.

You have to generate this value yourself. We recommend you use a password-generating tool to generate a strong and secure RADIUS secret.
MODE“standard” – log in using a predefined MFA auth method, or using Append Mode.

“challenge” – use Radius Challenge. Rublon Authentication Proxy will respond with the AccessChallenge packet and wait for the Mobile Passcode provided in the next request

“nocred” – specific system integration. Rublon Authentication Proxy will search for user email in AD, and then perform 2FA against Rublon.

Default: “standard”

To learn more about Auth Proxy Modes, refer to Rublon Authentication Proxy Modes Explained.
RADIUS_CLASS_ATTRThe RADIUS CLASS attribute that will be sent in the “Access-Accept” response by the proxy.
LDAP PROXY SETTINGS

This subsection describes the possible additional options of a single element in the “PROXIES” array when the element is an LDAP proxy. See the configuration example for more details.

TRANSPORT TYPE“plain” – does not use encryption. It’s not recommended due to security concerns.

“ssl” – uses SSL encryption and trusts the certificate located under the CERT_KEY path.

Default: “plain”
PRIVATE_KEYThe path to the private key used when setting up the LDAP Proxy over SSL.
CERT_KEYThe path to the trusted certificate for LDAP Proxy over SSL.
USE_TLSWhether to use Transport Layer Security during the connection with the Proxy.
ANONYMOUS_BINDAllows to use of anonymous binds (connection without a username and password) with the LDAP connection.

Default: false

Known Limitations

Currently LDAP PROXY works only with a single LDAP authentication source.

AUTH_SOURCES SECTION

You can define one or more authentication sources in this section.

  • LDAP SOURCE SETTINGS applies only to LDAP authentication sources
  • RADIUS SOURCE SETTINGS applies only to RADIUS authentication sources
LDAP SOURCE SETTINGS

You can configure multiple LDAP authentication sources by adding more than one list element in the AUTH_SOURCES section. See the configuration example to find out how to do it.

NAMEThe unique identifier used to distinguish this authentication source. Ensure all names under the AUTH_SOURCES section are unique.
AUTH_PROTOCOLThe auth protocol that this authentication source uses: “LDAP” or “RADIUS”

Default: “RADIUS”
IPThe hostname or IP address of the Active Directory used for primary authentication.
PORTThe LDAP port used for primary authentication. By default, port 389 is used for “plain” connection (LDAP) and port 636 is used for “ssl” (LDAPS).
SEARCH_DNRublon uses the Distinguished Name to search for groups of users that will authenticate with the Rublon Authentication Proxy. This is typically your company’s AD FQDN.

Example: dc=example,dc=com

Here’s how to find FQDN.
TIMEOUTThe time (in seconds) after which the LDAP connection attempt will be aborted and access rejected.

Default: 10
USERNAME_ATTRIBUTEThe username attribute used to log in.

Default: sAMAccountName
ACCESS_USER_DNThe full Bind DN of a user that has Read rights in Active Directory. This account will be used for user searches. We suggest creating an additional user with Read-only rights.

Here’s how to find Bind DN.
ACCESS_USER_PASSWORDThe password of the user in ACCESS_USER_DN.
SECURITY_GROUP_DNThe distinguished name of a group whose users will be authenticated against. If not set, all users found by using SEARCH_DN will be able to log in.
CUSTOM_FILTERRublon Authentication Proxy will grant access only to the users matching this LDAP filter. Use standard LDAP filter syntax.
TRANSPORT TYPE“plain” – does not use encryption when connecting via LDAP, not recommended due to security concerns.

“ssl” – uses SSL encryption and trusts certificates located inside the certs directory if present.

“starttls” – starts with a normal connection and then immediately switches to an encrypted one.

Default: “plain”
CERT_DIR_PATHThe path to the directory containing certificates for the SSL connection. Certificates should be in .pem format, with one certificate per file. By default, Rublon Authentication Proxy will search inside the config/certs directory.
EMAIL_ATTRIBUTERublon needs a user’s email address to link the user to their Rublon account.

The EMAIL_ATTRIBUTE allows you to choose which Active Directory attribute to use as an email attribute. If you have a custom AD attribute that stores email addresses, then provide the name of this AD attribute here.

Default: “mail”

RADIUS SOURCE SETTINGS

You can configure multiple RADIUS authentication sources by adding more than one list element in the AUTH_SOURCES section. See the configuration example to find out how to do it.

NAMEThe unique identifier used to distinguish this authentication source. Ensure all names under the AUTH_SOURCES section are unique.
AUTH_PROTOCOLThe auth protocol that this authentication source uses: “LDAP” or “RADIUS”

Default: “RADIUS”
IPThe IP address of the RADIUS server used for primary authentication.
PORTThe port of the RADIUS server for Access-Request. Typically, this port is 1812.
SECRETThe RADIUS Secret used in the Rublon Authentication Proxy – RADIUS server communication. If left empty, the proxy’s RADIUS_SECRET is used.
TIMEOUTThe time (in seconds) after which a single connection attempt with the RADIUS server will be aborted. Note that you have to multiply this value by the retries count to get the actual time, after which Rublon will abort trying to connect to the RADIUS server.

Default: 5
RETRIESThe number of reconnection attempts when a response is not received.

Default: 3
PROXY_REQUESTSWhether to proxy requests to the RADIUS server. Rublon MFA will be performed after successful authentication.

Works only in “standard” proxy mode.
Append Mode does not work when proxying requests.

Note that you will have to set the proxy’s RADIUS Secret to the same value as the RADIUS server secret. See Non-PAP protocol for RADIUS communication communication for more information.

Default: false
NAS_IP_ADDRESSThe IP address that will be sent in the “NAS-IP-Address” attribute to the RADIUS server. If left empty, no “NAS-IP-Address” is sent. However, proxied requests will copy “NAS-IP-Attribute” from origin requests.
EMAIL_ATTR_NAMEThe attribute that should be received from RADIUS within the Access-Accept packet containing the user’s email. Modify only if, for some reason, you have changed the suggested RADIUS server configuration.

Default: “Rublon-Email”

Append Mode

Append Mode is a feature available in Rublon Authentication Proxy when the “standard” mode is set in the configuration file. Append Mode allows you to choose your authentication method by appending specific values to your password when logging in to an integrated service. The specific value is preceded by the append mode separator. 

Append Mode works only in “standard” mode. Enable Append Mode by adding the following options to one of your server’s configurations under the “SERVERS” section:

“USE_APPEND_MODE”: true
“APPEND_MODE_SEPARATOR”: “,”

By default, the separator is set to “,” (comma).

How does it work?

After you enable Append Mode, when logging in to an integrated service, type in your password. Then, append the APPEND_MODE_SEPARATOR. Then, you can append one of the following values:

  • “push”
  • “email”
  • “123456” – the TOTP code; must be exactly 6 characters long with no spaces in-between

If Append Mode is enabled but the user only provides their password without appending anything, the authentication method set in AUTH_METHOD is used.

Similarly, if the appended value is not recognized, the entire provided string is treated as a password and the authentication method set in AUTH_METHOD is used.

Note that AppendMode is case-sensitive. Values like “Push”, “EMAIL”, “pUsH” do not work.

Examples

Let’s assume that your password is: “pancakes123, and the separator is not set in the configuration file, so its value is the default “,” (comma).

If you would like to choose push as the authentication method, type:

    pancakes123,push

If you would like to choose email as the authentication method, type:

    pancakes123,email

If you would like to choose totp as the authentication method, type:

    pancakes123,123456

Where 123456 is the TOTP code generated by Rublon Authenticator.

Non-PAP protocol for RADIUS communication

By default, the Rublon Authentication Proxy uses only the PAP protocol to authenticate users. This means that all systems that try to use other protocols (like CHAPv1, EAP-MS-CHAPv2) to communicate with Rublon Authentication Proxy will not work. However, it is possible to configure the Rublon Authentication Proxy to proxy all non-PAP requests to the RADIUS server.

To do so, add:
    "PROXY_REQUESTS": true

To your configuration file, under the “RADIUS” section. Rublon 2FA will be performed upon receiving the Access-Accept response packet from the RADIUS server.

If the RADIUS server was configured to accept these protocols, protocols such as CHAPv1 or MS-CHAPv2 (even EAP-MS-CHAPv2) should work from now on.

Refer to the following flowchart, which portrays how proxying works.

Configuration example

{
  "LOGGING": {
    "DEBUG": "false",
    "REMOVE_LOGS_OLDER_THAN": 7
  },
  "PROXIES": [
    {
      "NAME": "RADIUS_PROXY",
      "AUTH_PROTOCOL": "RADIUS",
      "RADIUS_SECRET": "secret_to_communicate_with_the_proxy",
      "IP": "172.16.1.100",
      "PORT": 1812,
      "MODE": "standard",
      "AUTH_SOURCE": "LDAP_1,LDAP_2",
      "AUTH_METHOD": "email",
      "USE_APPEND_MODE": true,
      "APPEND_MODE_SEPARATOR": ",",
      "RUBLON_API": "https://core.rublon.net",
      "RUBLON_TOKEN": "SYSTEM_TOKEN",
      "RUBLON_SECRET": "SECRET_KEY"
    },
    {
      "NAME": "LDAP_PROXY",
      "AUTH_PROTOCOL": "LDAP",
      "IP": "0.0.0.0",
      "PORT": "636",
      "AUTH_SOURCE": "LDAP_1",
      "AUTH_METHOD": "push,email",
      "FAIL_MODE": "deny",
      "TRANSPORT_TYPE": "ssl",
      "PRIVATE_KEY": "C:\\Path\\To\\Private_key.pem",
      "CERT_KEY": "C:\\Path\\To\\Certificate.pem",
      "RUBLON_API": "https://core.rublon.net",
      "RUBLON_TOKEN": "SYSTEM_TOKEN",
      "RUBLON_SECRET": "SECRET_KEY"
    }
  ],
  "AUTH_SOURCES": [
    {
      "NAME": "LDAP_1",
      "AUTH_PROTOCOL": "LDAP",
      "IP": "172.16.3.100",
      "SEARCH_DN": "dc=test,dc=local",
      "ACCESS_USER_DN": "cn=Administrator,cn=Users,dc=test,dc=local",
      "ACCESS_USER_PASSWORD": "v3ryH@rdpa$$w0rd"
    },
    {
      "NAME": "LDAP_2",
      "AUTH_PROTOCOL": "LDAP",
      "IP": "172.16.3.101",
      "SEARCH_DN": "dc=test2,dc=local",
      "ACCESS_USER_DN": "cn=Administrator,cn=Users,dc=test2,dc=local",
      "ACCESS_USER_PASSWORD": "v3ryH@rdpa$$w0rd"
    },
    {
      "NAME": "RADIUS_1",
      "AUTH_PROTOCOL": "RADIUS",
      "IP": "172.16.2.100",
      "PORT": 1812,
      "SECRET": "secret_to_communicate_with_radius_server"
    }
  ]
}

Start Rublon Authentication Proxy

Linux

To run Rublon Authentication Proxy, start the service using one of the following commands:

systemctl start rublon.service

or

service rublon start

Windows

Run Rublon Authentication Proxy as a console application to ensure everything is set up properly:

  1. Open cmd as administrator and go to the proxy’s installation directory:
    cd C:\Program Files\Rublon Auth Proxy
  1. Run the proxy:
    .\bin\rublonauthproxy.exe

If Rublon Authentication Proxy is configured properly, the console displays the Started listening log. At this point, you can test user authentication. To test user authentication, use NTRadPing or start configuring Rublon with one of the services that support the Rublon Authentication Proxy.

If everything works, start the proxy as a service:

net start RublonAuthProxy

Alternatively, you can start the proxy as a service in the following way:

  1. Find Rublon Authentication Proxy Service on the Windows services list (services.msc).
  2. Right-click Rublon Authentication Proxy Service and select Start.

Update Rublon Authentication Proxy

Linux

  1. Stop Rublon service:
    systemctl stop rublon.service
    or
    service rublon stop
  2. Download the latest rublonauthproxy package and unpack it.
  3. Replace the lib directory inside the previously deployed rublonauthproxy folder.
  4. Make sure the rublonauthproxy/lib/rublonauthproxy file has proper permissions:
    chmod 775 rublonauthproxy/lib/rublonauthproxy
  5. Run the service:
    systemctl start rublon.service
    or
    service rublon start

Windows

Run the installer over your current installation to update the Rublon Authentication Proxy. Config and log files will be preserved.

Uninstall Rublon Authentication Proxy

Linux

  1. Stop Rublon service:
    systemctl stop rublon.service
    or
    service rublon stop
  2. Remove rublon.service:
    rm -f /lib/systemd/system/rublon.service
  3. Remove the rublonauthproxy directory:
    rm -rf rublonauthproxy

Windows

Run the unins000.exe file located in the installation directory. Note that configuration and log files will be preserved.

Troubleshooting

If you are facing an issue with the Rublon Authentication Proxy, try restarting the Rublon Authentication Proxy.

If restarting the Rublon Authentication Proxy didn’t fix your issue, go to your configuration file and set the DEBUG option to true. Then, check the contents of your rublonauthproxy.log file. Information contained in this file should in most cases be enough to troubleshoot issues related to the Rublon Authentication Proxy.

If you installed the Rublon Authentication Proxy on Windows, then rublonauthproxy.log is located in the following location:

C:\Program Files\Rublon Auth Proxy\logs\rublonauthproxy.log

If you installed the Rublon Authentication Proxy on Linux, then rublonauthproxy.log is located in the following location:

rublonauthproxy/logs/rublonauthproxy.log

Note that most issues occur due to incorrect configuration.

If you encounter any issues with your Rublon integration, please contact Rublon Support.

Related Posts

Rublon Authentication Proxy – Release Notes

Rublon Authentication Proxy – Integrations

Rublon Authentication Proxy – Download

Rublon Authentication Proxy – Archive (Older Versions)

Rublon Downloads – Rublon Authentication Proxy

Rublon Authentication Proxy Modes Explained