MFA for RADIUS

Last updated on September 1, 2025

MFA for RADIUS is a multi-layered approach to the authentication of RADIUS users. Usually consisting of two security layers, RADIUS MFA provides a login and password as the first authentication factor and an extra authentication method as the first authentication factor. The additional authentication method must be either something you have (e.g., enrolled mobile device, FIDO2 Security Key) or something you are (e.g., fingerprint or other biometrics).

What is RADIUS?

RADIUS is a computer networking protocol that employs the three A’s. The first A stands for Authentication, the second A is Authorization, and the last A refers to Accounting. Let’s focus on the first A and learn how RADIUS works within Multi-Factor Authentication (MFA).

RADIUS Protocol vs. RADIUS Server – Let’s Clear It Up!

It is crucial to distinguish between the RADIUS protocol and the RADIUS server. The RADIUS protocol is a data transfer protocol used during communication between a RADIUS server and a RADIUS client. The RADIUS server, on the other hand, is a process that runs in the background on a Windows or Linux server and stores user profiles in a database. These profiles include user credentials such as a hash of a password.

In other words, the RADIUS server either is the Identity Provider (IdP) itself or is closely connected to an identity provider (IdP) (like a MySQL database) and can therefore be used as the source of your user credentials during the first step of Multi-Factor Authentication (MFA). One of the most popular RADIUS servers is FreeRADIUS.

Analogous to the RADIUS server, the RADIUS client is one of the parties that take part in the communication that uses the RADIUS protocol. The RADIUS client is usually a network access server (NAS) such as a virtual private network (VPN), router, or switch.

It is essential to know the difference between the RADIUS protocol, server, and client because it is easy to confuse these terms, which consecutively may lead to more misunderstandings.

How to make the RADIUS Protocol More Secure?

The RADIUS protocol does not encrypt the packets sent in communication between the client and server. The sole exception is the password. Despite password encryption, RADIUS is only as secure as its implementation. But even with an exemplary implementation, if a password is the only barrier a hacker must circumvent to break into your account, you are as good as hacked.

But there is a way. It is called Multi-Factor Authentication, or MFA for short. MFA adds an extra layer of security to your logins. If you combine your password with a Mobile Push authentication request, you boost your account security. But how does MFA work?

How Does MFA Work With RADIUS?

To enable MFA on your VPNs, you need to use the Rublon Authentication Proxy. The Rublon Authentication Proxy is an on-premises RADIUS proxy server.

With Rublon MFA enabled, the Rublon Authentication Proxy uses the RADIUS protocol to communicate with Service Providers, such as your VPN. To speak with an Identity Provider, the Rublon Authentication Proxy uses either the RADIUS protocol (if you store your users in, e.g., FreeRADIUS) or the LDAP protocol (if you store your users in, e.g., Active Directory).

1. User signs in to the Integrated Service (Service Provider) by providing their login and password

2. The Integrated Service contacts the Rublon Authentication Proxy using the RADIUS protocol.

3. The Rublon Authentication Proxy asks the Identity Provider (either a RADIUS Server or an LDAP Server) if the password is correct.

(Note that Rublon Authentication Proxy uses PAP or a more secure type of CHAP protocol to speak to the RADIUS Server. However, LDAP(S) is used to speak to the LDAP Server.)

4. If the password is correct, the Rublon Authentication Proxy contacts the Rublon API and asks the Rublon API to challenge the user for the second authentication factor, e.g., a Mobile Push authentication request is sent to the User’s phone

5. If the User accepts the push, they get connected to the Integrated Service.

Can I Use FreeRADIUS as the IdP For My Cloud Apps?

Yes, you can! You can deploy the Rublon Access Gateway, a dedicated Rublon solution used for integration with cloud apps. Then, you can set your FreeRADIUS (or any other RADIUS server) as the Identity Provider in the Rublon Access Gateway. Refer to MFA for SAML for more information.

How Do I Enable MFA on My VPNs and Other RADIUS-Compatible Services?

Here’s a step-by-step guide on how to enable Rublon MFA on one or more of your RADIUS-compatible applications:

1. Deploy and configure the Rublon Authentication Proxy.
2. Find the integration instructions in our documentation.
3. Follow the instructions and integrate your service with the Rublon Authentication Proxy.
4. Repeat steps 2 and 3 for any number of RADIUS-Compatible services you want.

Related Posts

• MFA for SAML
• MFA for LDAP
• MFA for Active Directory
• Rublon Authentication Proxy – Documentation