Rublon

Secure Remote Access

By

Last updated on March 19, 2025

Overview of MFA for SonicWall WAN GroupVPN

Multi-Factor Authentication (MFA) for SonicWall WAN GroupVPN is an additional security measure that requires users to supply two forms of verification before they are granted access. The first layer of authentication involves entering their Active Directory / RADIUS username and password. After verifying this information, the user is asked to complete a second form of authorization using an available method, such as via a Mobile Push or Email Link. Only after both stages of verification are completed can the user access the resource. Implementing Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) for SonicWall WAN GroupVPN dramatically reduces the likelihood of a hacker compromising the user’s credentials and gaining access.

Supported Authentication Methods

Authentication Method Supported Comments
Mobile Push N/A
WebAuthn/U2F Security Key N/A
Passcode N/A
SMS Passcode N/A
SMS Link N/A
Phone Call N/A
QR Code N/A
Email Link N/A
YubiKey OTP Security Key N/A

Demo Video of MFA for SonicWall WAN GroupVPN

Before you start

You need to install and configure Rublon Authentication Proxy itself before configuring SonicWall WAN GroupVPN to work with it. Please read the Rublon Authentication Proxy documentation and follow the steps in the Installation and Configuration sections. Afterward, follow the Configuration section in this document.

Ensure that you have properly set up your authentication source, that is an external Identity Provider (IdP) like RADIUS, OpenLDAP or Microsoft Active Directory.

Configuration of MFA for SonicWall WAN GroupVPN

1. Log in to the SonicWall management GUI.

2. Click MANAGE in the top navigation menu.

3. Navigate to the left menu. Expand VPN and select Base Settings.

4. Click the Edit WAN GroupVPN server icon. Clicking the icon opens a VPN Policy window.

5. Click the Advanced tab, and check the group selected in the User group for XAUTH users dropdown. You have to use this group in your RADIUS configuration.

6. Make sure Require authentication of VPN clients by XAUTH is checked.

7. Click OK to save the changes you made. Clicking OK closes the VPN Policy window.

8. Navigate to the menu on the left. Expand Users and select Settings.

9. Select Authentication from the menu at the top.

10. Set User Authentication Method to RADIUS.

11. Click CONFIGURE RADIUS on the right. Clicking the button opens the RADIUS Configuration window.

12. Click ADD… to add a new server. This opens the Add server window.

13. Enter the FQDN or IP address of the RADIUS server used for primary authentication.

14. Enter the RADIUS Secret set in Rublon Authentication Proxy as the Shared Secret in this window.

15. Click SAVE to add the new server.

16. While still in RADIUS Servers Settings, switch to General Settings.

17. Set RADIUS Server Timeout to 60 seconds.

18. Set Retries to 2.

19. Click APPLY to save these changes.

20. Select the RADIUS Users tab.

21. Set Default user group to which all RADIUS users belong. It has to be the same group as in the VPN server configuration (step 5).

22. Click OK to save this change. Clicking OK closes the RADIUS Configuration window.

23. Navigate to the left menu. Extend SSL VPN and select Server Settings.

24. Make sure Use RADIUS in is unchecked in the RADIUS User Settings section. In case it’s checked, uncheck it, and click the ACCEPT button at the bottom of the site.

12. Your configuration is now finished. Users have Rublon 2FA enabled when logging in to your VPN.

Testing MFA for SonicWall WAN GroupVPN

This example portrays Rublon 2FA in SonicWall Global VPN Client using the Email Magic Link method. This example assumes you have already added a new connection in the client. 

1. Select your connection, and click the Enable button.

2. If this is your first login, you will be asked to enter the pre-shared key. Next, enter your username and password, and click OK.

3. Check your mailbox for an email from Rublon. Open the email, and click Sign In.

4. You will be successfully logged in. The Status of your connection in SonicWall Global VPN Client will change to Connected.

Troubleshooting

Blast-RADIUS Vulnerability Protection

RADIUS integrations may enforce the validation of the Message-Authenticator RADIUS attribute as part of their mitigations for the Blast-RADIUS vulnerability.

The Rublon Authentication Proxy supports the Message-Authenticator attribute starting from version 3.5.3. The Rublon Auth Proxy uses the force_message_authenticator option in the configuration file (set to true by default) to safeguard against Blast-RADIUS attacks.

If you are experiencing issues with your RADIUS integration, ensure that the force_message_authenticator is set to true.

If you are using Rublon Authentication Proxy 3.5.2 or older, update to the newest available version.

Difficulties Connecting to the VPN

If you have difficulties connecting to your VPN or the second factor does not work, double-check you have specified e-mail addresses of Local Users in User Settings under Users → Local Users & Groups. Make sure the users belong to appropriate groups.

Sonicwall Global VPN: Difficulties Enabling LAN Access for VPN Users

If VPN users are unable to access specific LAN subnets, verify that you have configured the VPN Access settings for the appropriate user groups (or individual users) as described below.

For Local Groups:

  1. Go to VPN → Users → Local Groups.
  2. Click the configuration button for the group you want to grant VPN access to.
  3. Go to the VPN Access tab, scroll down to LAN Subnets, add the desired LAN network to the Access List, and click OK.

For Local Users:

  1. Go to VPN → Users → Local Users.
  2. Click the configuration button for the user you want to grant VPN access to.
  3. Go to the VPN Access tab, scroll down to LAN Subnets, add the LAN network to the Access List, and click OK.

If you encounter any issues with your Rublon integration, please contact Rublon Support.

Related Posts

Rublon Authentication Proxy

Rublon Authentication Proxy – Integrations