If you want to enforce Multi-Factor Authentication (MFA) on specific Active Directory (AD) user groups and ensure that only those users are marked as Active in the Rublon Admin Console (thus consuming a license), follow these steps.
Before You Start
The Rublon Authentication Proxy is an application you can install on either Windows or Linux. It enables Multi-Factor Authentication (MFA) for services that support the RADIUS and LDAP(S) protocols. It also allows you to synchronize your Active Directory users into the Rublon Admin Console, which is the feature we will be using in this article.
Prerequisites:
Download and install the Rublon Authentication Proxy. You do not have to configure the Auth Proxy per se. You only need to prepare it for Active Directory Synchronization. Refer to How to synchronize users from Active Directory using Directory Sync for more information.
Ensure your Active Directory is set up as an authentication source in the Auth Proxy configuration.
Step 1: Open the Rublon Authentication Proxy Configuration File
Locate and open the Rublon Authentication Proxy configuration file. This file is named either config.json or config.yaml, depending on your choice when you configured the Auth Proxy.
For Windows, the configuration file is located in the directory:
C:\Program Files\Rublon Auth Proxy\config\config.yaml
For Linux, the file can be found at:
/etc/rublonauthproxy/config/config.yaml
If the file does not exist yet, you can create one, using one of the templates located in rublonauthproxy/config/examples. We recommend using the YAML format for your configuration file.
Step 2: Configure AD Sync for Selected User Groups
1. In the Auth Proxy configuration file, add the directory_sync section.
2. Set the enabled flag to true to enable directory synchronization.
3. Set the source_type to ad.
4. Define your AD groups under the group_dns field by listing their full distinguished names (DNs). These are the AD groups whose members will have MFA enforced. Only these users will be synchronized as Active in Rublon and will consume a license.
5. Here’s an example configuration (in YAML):
directory_sync:
enabled: true
auth_source: EXAMPLE_AD
source_type: ad
group_dns:
- cn=some-group,dc=example,dc=org
- cn=some-group2,dc=example,dc=org
auth_sources:
- name: EXAMPLE_AD
type: LDAP
ip: localhost
port: 636
transport_type: ssl
search_dn: dc=example,dc=org
access_user_dn: cn=admin,dc=example,dc=org
access_user_password: some-very-hard-password
rublon:
rublon_api: https://core.rublon.net
rublon_token: ABC
rublon_secret: defIt is important to define the correct search_dn. This is the root Distinguished Name from which the directory will be searched, typically your company’s AD FQDN (See: How do I find the FQDN for my Active Directory server (search_dn in Rublon Auth Proxy config)?). Users are initially located using the authentication source’s search_dn. Only after that, a membership check is performed to verify if they belong to the groups listed in group_dns.
Step 3 (Optional): Run Directory Sync Manually
After editing and saving the configuration file you can manually run the directory sync to test the configuration. Otherwise you would have to wait for the hour the Auth Proxy scheduled the sync on.
- For Windows: Open the Rublon Auth Proxy/bin directory and double-click the rublon-directorysync.exe file
- For Linux: Run the rublonauthproxy/bin/rublon-directorysync.exe file
Step 4: Save and Restart the Rublon Authentication Proxy Service
After editing and saving the configuration file, restart the Rublon Authentication Proxy service to apply the changes.
For Windows: Open a command prompt as Administrator and run:
net stop rublonauthproxy
net start rublonauthproxy
For Linux: Use the following command:
sudo systemctl restart rublonauthproxy
Step 5: Set Enrollment Type for Unknown Users
To prevent users outside the selected AD groups from consuming licenses and being required to use MFA, configure how Rublon handles unknown users:
1. Sign in to the Rublon Admin Console.
2. Go to the Settings tab.
3. Set Enrollment Type to Manual and Handling of unknown users to Bypass. Do not forget to click Save to save the changes. This ensures that users not synchronized from the specified AD groups will bypass MFA and will not be present in the Rublon Admin Console, thus not using a license.
Step 6: Verify Configuration
1. In the Rublon Admin Console, go to the Users tab to ensure that only users from the selected AD groups (specified in group_dns) have been added to the Admin Console with the status set to Active.
If a user who does not belong to any of the selected AD user groups attempts to log in, they will be bypassed (MFA will be skipped). Such a user will not be added to the Users tab in the Rublon Admin Console and will not consume a license.
2. Go to the Groups tab and confirm that the AD groups are synchronized.
Helpful Links
Rublon Authentication Proxy - Download
Rublon Authentication Proxy - Documentation
How do I find the FQDN for my Active Directory server (search_dn in Rublon Auth Proxy config)?
How to synchronize users from Active Directory using Directory Sync
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article