Multi-Factor Authentication (2FA/MFA) for Stormshield SSL VPN – RADIUS

Last updated on July 8, 2025

Overview of MFA for Stormshield SSL VPN using RADIUS

This documentation describes how to integrate Rublon MFA with Stormshield SSL VPN using the RADIUS protocol to enable multi-factor authentication for VPN connections.

Supported Authentication Methods

Authentication Method	Supported	Comments
Mobile Push	✔	N/A
WebAuthn/U2F Security Key	–	N/A
Passcode	✔	N/A
SMS Passcode	–	N/A
SMS Link	✔	N/A
Phone Call	✔	N/A
QR Code	–	N/A
Email Link	✔	N/A
YubiKey OTP Security Key	✔	N/A

Before You Start Configuring MFA for Stormshield SSL VPN using RADIUS

Before configuring Rublon MFA for Stormshield VPN:

• Ensure you have prepared all required components.
• Create an application in the Rublon Admin Console.
• Install the Rublon Authenticator mobile app.

Required Components

1. User Identity Provider (IdP) – You need an external Identity Provider, such as Microsoft Active Directory, OpenLDAP, or FreeRADIUS.

2. Rublon Authentication Proxy – Install the Rublon Authentication Proxy if you have not already.

3. Stormshield  – Properly installed and configured firewall.

Create an Application in the Rublon Admin Console

1. Sign up for the Rublon Admin Console. Here’s how.

2. In the Rublon Admin Console, go to the Applications tab and click Add Application. 

3. Enter a name for your application (e.g., Stormshield VPN) and then set the type to Rublon Authentication Proxy.

4. Click Save to add the new application in the Rublon Admin Console.

5. Copy and save the values of the System Token and Secret Key. You are going to need these values later.

Install Rublon Authenticator

Some end-users may install the Rublon Authenticator mobile app. So, as a person configuring MFA for Stormshield VPN, we highly recommend you install the Rublon Authenticator mobile app, too. Thanks to that, you will be able to test MFA for Stormshield via Mobile Push.

Download the Rublon Authenticator for:

• Android
• iOS
• HarmonyOS

Configuring Multi-Factor Authentication (MFA) for Stormshield SSL VPN using RADIUS

Follow the following instructions to set up MFA for Stormshield SSL VPN using the RADIUS protocol.

Configuring the RADIUS Server

1. From the Stormshield Network Security (SNS) administrator console, select the Configuration tab. Then, go to Users → Authentication.

2. In the Available Methods tab, click Add a method and select Radius. A RADIUS form with a few fields should appear to the right.

3. Click the + (plus) sign next to Server, fill out the fields, and click Create. You must fill in the following fields:

• Object name: the name for your Rublon Authentication Proxy server, e.g., AuthProxy
• IPv4 address: the IP address of your Rublon Authentication Proxy server

4. Back to the RADIUS form, keep Port as radius.

5. In Pre-Shared Key, enter the value of RADIUS_SECRET from the Rublon Authentication Proxy config file and click Apply to save the new RADIUS server.

Creating Authentication Policies

Now that you have configured our RADIUS server, you need to create two authentication policies that enforce the RADIUS protocol on SSL VPN connections.

1. Go to Users → Authentication → Authentication Policy.

2. Click New Rule and select Standard Rule. A new window will open.

3. In the User tab, select the user group that will have to undergo RADIUS logins.

4. In the Source tab, click Add an interface. Then click select interface and select [Ethernet] out from the dropdown menu.

5. In the Authentication methods tab, select Default method and click Remove to remove the default method. Then, select Authorize a method → RADIUS to add a new method.

6. Click OK to confirm all changes.

7. Now you need to add a second authentication policy. Go through all steps of Creating Authentication Policies in this documentation again but select [SSL VPN] SSL VPN in the Source tab in Step 4. All other steps for the second method are the same.

8. Now that you have created two authentication policies, you must enable them. To do this, double-click the Disabled switch for both policies in the Status column so that it changes to Enabled.

9. Click Apply at the bottom of the page to save all changes.

10. Congratulations. You have successfully configured Rublon MFA for Stormshield VPN using RADIUS. You can now test MFA.

Increasing the Timeout

The default RADIUS timeout in Stormshield is only 3 seconds. Increase it to 30 seconds so that users have enough time to complete Rublon MFA.

1. Open an SNS CLI session as admin (via SSH or in the CLI console directly on the firewall through the System → CLI Console module).

2. Enter the command:

CONFIG AUTH RADIUS timeout=30000 btimeout=30000

This sets the primary and backup RADIUS server timeouts to 30000 ms (30 seconds).

3. Enter the following command to apply the new authentication settings:

CONFIG AUTH ACTIVATE

Testing Multi-Factor Authentication (MFA) for Stormshield SSL VPN Integrated Via RADIUS

This example portrays logging in to Stormshield VPN via the Stormshield SSL VPN Client. Mobile Push has been set as the second factor in Rublon Authentication Proxy configuration (AUTH_METHOD was set to push).

1. Start the Stormshield SSL VPN Client, e.g., right-click the app in the tray and select Start VPN.

2. Provide your Firewall address, Username, and Password, and click OK.

3. Rublon will send a Mobile Push authentication request to your phone. Tap APPROVE.

4. You will be connected to the VPN.

Troubleshooting of MFA for Stormshield SSL VPN using RADIUS

If you encounter any issues with your Rublon integration, please contact Rublon Support.

Related Posts

Rublon Authentication Proxy

Rublon Authentication Proxy – Integrations