Rublon

Secure Remote Access

By

Last updated on March 19, 2025

Overview of MFA for SonicWall SSL VPN

Multi-Factor Authentication (MFA) for SonicWall SSL VPN is an additional security measure that requires users to provide two accessibility credentials to gain access to SonicWall SSL VPN. The first factor requires the user to input their Active Directory/RADIUS username and password. After successfully completing the first factor, users will move on to the second authentication step which can include Mobile Push or Email Link. Once both of these factors are fulfilled, the user will gain access to the resource. Enabling Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) for SonicWall SSL VPN stops hackers from gaining access to resources even if they possess the user’s login information.

Supported Authentication Methods

Authentication Method Supported Comments
Mobile Push N/A
WebAuthn/U2F Security Key N/A
Passcode N/A
SMS Passcode N/A
SMS Link N/A
Phone Call N/A
QR Code N/A
Email Link N/A
YubiKey OTP Security Key N/A

Demo Video of MFA for SonicWall SSL VPN

Before you start

You need to install and configure Rublon Authentication Proxy itself before configuring SonicWall SSL VPN to work with it. Please read the Rublon Authentication Proxy documentation and follow the steps in the Installation and Configuration sections. Afterward, follow the Configuration section in this document.

Ensure that you have properly set up your authentication source, that is an external Identity Provider (IdP) like RADIUS, OpenLDAP, or Microsoft Active Directory.

Configuration of MFA for SonicWall SSL VPN

1. Log in to the SonicWall management GUI.

2. Click MANAGE in the top navigation menu.

3. Navigate to the left menu. Expand Users and select Settings. Afterwards, switch to the Authentication tab.

4. Set User Authentication Method to RADIUS.

5. Click CONFIGURE RADIUS on the right. Clicking the button opens the RADIUS Configuration window.

6. Click ADD… to add a new server. This opens the Add server window.

7. Enter the FQDN or IP address of the RADIUS server used for primary authentication.

8. Enter the RADIUS Secret set in Rublon Authentication Proxy as the Shared Secret in this window.

9. Click SAVE to add the new server.

10. While still in RADIUS Servers Settings, switch to General Settings.

11. Set RADIUS Server Timeout to 60 seconds.

12. Set Retries to 2.

13. Click APPLY to save these changes.

14. Select the RADIUS Users tab.

15. Set Default user group to which all RADIUS users belong to SSLVPN Services.

16. Click OK to save this change. Clicking OK closes the RADIUS Configuration window.

17. Navigate to the left menu. Extend SSL VPN and select Server Settings.

18. Make sure Use RADIUS in is unchecked in the RADIUS User Settings section. In case it’s checked, uncheck it, and click the ACCEPT button at the bottom of the site.

19. Your configuration is now finished. Users have Rublon 2FA enabled when logging in to your VPN.

Log in to SonicWall SSL VPN with Rublon 2FA enabled

This example portrays Rublon 2FA in NetExtender client using the Email Magic Link method.

1. Provide your login and password, and click Connect.

2. Check your mailbox for an email from Rublon. Open the email, and click Sign In.

3. You will be successfully logged in to the VPN.

Troubleshooting

Blast-RADIUS Vulnerability Protection

RADIUS integrations may enforce the validation of the Message-Authenticator RADIUS attribute as part of their mitigations for the Blast-RADIUS vulnerability.

The Rublon Authentication Proxy supports the Message-Authenticator attribute starting from version 3.5.3. The Rublon Auth Proxy uses the force_message_authenticator option in the configuration file (set to true by default) to safeguard against Blast-RADIUS attacks.

If you are experiencing issues with your RADIUS integration, ensure that the force_message_authenticator is set to true.

If you are using Rublon Authentication Proxy 3.5.2 or older, update to the newest available version.

Difficulties Connecting to the VPN

If you have difficulties connecting to your VPN or the second factor does not work, double-check you have specified e-mail addresses of Local Users in User Settings under Users → Local Users & Groups, and that the users belong to appropriate groups.

Sonicwall Global VPN: Difficulties Enabling LAN Access for VPN Users

If VPN users are unable to access specific LAN subnets, verify that you have configured the VPN Access settings for the appropriate user groups (or individual users) as described below.

For Local Groups:

  1. Go to VPN → Users → Local Groups.
  2. Click the configuration button for the group you want to grant VPN access to.
  3. Go to the VPN Access tab, scroll down to LAN Subnets, add the desired LAN network to the Access List, and click OK.

For Local Users:

  1. Go to VPN → Users → Local Users.
  2. Click the configuration button for the user you want to grant VPN access to.
  3. Go to the VPN Access tab, scroll down to LAN Subnets, add the LAN network to the Access List, and click OK.

If you encounter any issues with your Rublon integration, please contact Rublon Support.

Related Posts

Rublon Authentication Proxy

Rublon Authentication Proxy – Integrations