Rublon

Secure Remote Access

By

Last updated on May 6, 2025

Overview of MFA for Awingu

Rublon integrates with Awingu by using Rublon Authentication Proxy deployed as an on-premise server. Awingu uses the RADIUS protocol for multi-factor authentication (MFA), pointing to the Rublon Authentication Proxy server.

Users may choose between Passcode, Mobile Push, and Email Link for Two-Factor Authentication during their login to Awingu.

Note

Rublon Authentication Proxy has to be connected to the same Active Directory as Awingu. Rublon Authentication Proxy retrieves users’ email addresses from Active Directory during logins. Therefore, it is required that every user who shall be using 2FA has an email address defined in their Active Directory user properties. As a result, no user database synchronization is required.

Supported Authentication Methods

Authentication Method Supported Comments
Mobile Push N/A
WebAuthn/U2F Security Key N/A
Passcode N/A
SMS Passcode N/A
SMS Link N/A
Phone Call N/A
QR Code N/A
Email Link N/A
YubiKey OTP Security Key N/A

Demo Video of MFA for Awingu

Before your start

You need to install and configure Rublon Authentication Proxy before configuring Awingu to work with it. If you have not installed a Rublon Authentication Proxy yet, please go to its documentation and follow the described installation and configuration steps. Afterward, come back to the Configuration section in this document.

Ensure that you have properly set up your authentication source, that is an external Identity Provider (IdP) like FreeIPA, OpenLDAP, or Microsoft Active Directory.

Configuration of MFA for Awingu

Rublon Authentication Proxy

The following configuration shows all fields required by the Awingu configuration. Copy-paste the data to config.yaml and change the environment-specific values. The LDAP section should mirror the domain details configuration on the Awingu side.

For more information about Rublon Authentication Proxy configuration, see the documentation.

log:
  debug: false

rublon:
  api_server: https://core.rublon.net
  system_token: system_token_obtained_from_rublon_admin_console
  secret_key: secret_key_obtained_from_rublon_admin_console

proxy_servers:
  - name: RADIUS-Proxy
    type: RADIUS
    ip: 172.16.1.100
    port: 1812
    radius_secret: secret_to_communicate_with_the_proxy
    mode: nocred
    auth_method: email

With this configuration, Rublon Authentication Proxy will be listening on 172.16.1.100:1812 (1812 is the default RADIUS port) for any incoming requests from Awingu. If a request is received, it will try to find the user’s email address in Active Directory (using the username sent within the request) and verify the token against Rublon. If the username, token or email address is invalid, the authentication request will be rejected. Please note that by default Awingu uses the sAMAccountName property as a username, and so does Rublon.

Awingu

The configuration on the Awingu side should mirror the Rublon Authentication Proxy configuration. It is assumed you have already set up your domain.

1. Go to Configure → User Connector.

2. Fill in the Multi-factor Authentication section. Refer to the following image and table to learn how to fill in the form.

ModeSet to RADIUS
ServersThe IP address of your Rublon Authentication Proxy server
PortThe port of your Rublon Authentication Proxy server
SecretThe RADIUS SECRET you set in Rublon Authentication Proxy
LDAP username attributeUse the same USERNAME_ATTRIBUTE you set in Rublon Authentication Proxy.
By default, it is set to “sAMAccountName”

3. Click the Apply button to save the changes.

4. Your configuration is now complete. You can use Rublon 2FA when logging in to Awingu.

Example of using Rublon MFA for Awingu

The example below shows how Rublon authenticates a particular user when they try to log in to Awingu.

1. First, they are asked to provide their username and password.

2. If the credentials that were entered in the first step were correct, then they are asked to provide an authentication method of their choosing.

Valid options are:

  • 123456 – a Passcode (6-digit TOTP code generated by Rublon Authenticator or another third-party authentication app like Google Authenticator or Microsoft Authenticator)
  • 123456789 – a Bypass Code (9-digit code received from the administrator)
  • push – a Mobile Push is sent to their phone; requires Rublon Authenticator
  • email – an email message containing an Email Link is sent to their email address
  • smsLink – a text message containing an SMS Link
  • phoneCall – a Phone Call from Rublon
  • <YubiKey OTP code> – insert the YubiKey and press the button on the key; the OTP will be typed automatically and then Enter will be pressed

Let’s assume they chose Passcode.

3. This Passcode is provided by Rublon Authenticator.

4. After entering a valid Passcode, they are logged in successfully.

Note

If the user provides an unrecognized authentication method in Step 2, Rublon Authentication Proxy will use the method found in the configuration file. The default method set in the configuration file is “email”.

Troubleshooting

Blast-RADIUS Vulnerability Protection

RADIUS integrations may enforce the validation of the Message-Authenticator RADIUS attribute as part of their mitigations for the Blast-RADIUS vulnerability.

The Rublon Authentication Proxy supports the Message-Authenticator attribute starting from version 3.5.3. The Rublon Auth Proxy uses the force_message_authenticator option in the configuration file (set to true by default) to safeguard against Blast-RADIUS attacks.

If you are experiencing issues with your RADIUS integration, ensure that the force_message_authenticator is set to true.

If you are using Rublon Authentication Proxy 3.5.2 or older, update to the newest available version.

If you encounter any issues with your Rublon integration, please contact Rublon Support.

Related Posts

Rublon Authentication Proxy

Rublon Authentication Proxy – Integrations