Skip to main content

Barracuda VPN RADIUS integration

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.

Remote Authentication Dial-In User Service (RADIUS) is a protocol commonly used to authenticate, authorize, and account for user access and actions.

Arculix by SecureAuth offers a simple solution for adding MFA to Barracuda VPN via its RADIUS solution. This manual illustrates how to configure both a Barracuda NextGen Firewall device and an Arculix MFA solution.


  • Arculix RADIUS Agent that is configured and connected to your user directory. For example, Microsoft Active Directory (AD).

    For more information, see the Arculix RADIUS Agent deployment guide.

  • User account with administrative privileges for the Barracuda NextGen Firewall device.

Arculix RADIUS Agent configuration

To integrate Arculix with your Barracuda NextGen Firewall, you will need to install an Arculix RADIUS Agent on a machine within your network. This server will receive RADIUS requests from your Barracuda NextGen Firewall, check with LDAP server to perform primary authentication, and then contact Arculix cloud service for secondary authentication.

Follow these steps to configure the Arculix RADIUS Agent.

  1. Log in to the Arculix RADIUS Agent as an administrator.

  2. Open the radius-agent-config.env file with an editor.

    The file is located in the installed directory of RADIUS Agent. RADIUS clients are configured in this setting.

    Acceptto RADIUS agent
  3. At the end of the radius-agent-config.env file, set the following configuration for the ARA_CLIENTS attribute:


    The values should be separated by semicolons (;).

    ARA_CLIENTS = <An optional name for your Barracuda device>; <Internal IP address of your Barracuda device>; <a shared secret>

    For example, set:

    ARA_CLIENTS = Barracuda;;testing12345
    ARA_CLIENTS configuration
  4. Save the file.

  5. Run the following command to apply the changes:

    docker-compose down && docker-compose up -d

Barracuda NextGen Firewall configuration

In this section, you'll configure Barracuda NextGen Firewall as a service provider (SP).

  1. Log in to the Barracuda NextGen Firewall administrative interface using the NextGen Admin client.

  2. Select the CONFIGURATION tab and go to Infrastructure Services > Authentication Service.

  3. Select RADIUS Authentication and click Lock to enable the configuration of a new RADIUS server.

  4. Click the + icon and add the Arculix RADIUS Agent IP address to the list of RADIUS servers.

  5. Enter the shared secret key between the Arculix RADIUS Agent and the Firewall.


    The timeout of the RADIUS call is increased to 120 seconds to allow the user enough time to allow the multi-factor request.

  6. Select Send Changes and click Activate to commit the configuration.

  7. Go to Configuration Tree > Virtual Servers and select a virtual server. Click VPN (VPN-Services).


    If the VPN entry does not appear, follow these steps to add it to the virtual server before proceeding:

    1. Right-click Assigned Services and select Create Service.

    2. Add a VPN service,

  8. Expand VPN (VPN-Services) and double-click SSL-VPN to open the VPN setup page.

  9. In the Configuration section, select Login.

  10. In the Login section, set Identity Scheme to Radius.

  11. Click Send Changes. Then, click Activate to commit the new configuration.

Test your application integration

  1. Launch the CudaLaunch utility and click Connect.

  2. When prompted, enter your Windows username and password.

  3. The Arculix Mobile app receives a push notification for your approval to log in.

  4. After access is approved, the VPN home page will be displayed.


If the authentication fails to work as expected, you can troubleshoot by running the phibstest utility in the command line of the Barracuda NextGen Firewall.

  1. To display the status of the authentication services, run the following command in a command line program:

    phibstest s | grep radius

    The return should show:

    fac_auth_radius_active = 1  
    fac_auth_radius_busy = 0  
    fac_auth_radius_error = 0  
    fac_auth_radius_max = 5  
    fac_auth_radius_ready = 1  
    fac_auth_radius_status = Ready  
  2. If the status does not display Ready, or there are errors, check the log files located at /phio0/logs/. The relevant logs files are:

    • box_Control_AuthService.log

    • box_Firewall_Activity.log

  3. Test reachability of the RADIUS server by running the command below.


    If you do not specify the timeout parameter, the call to the RADIUS server will time out after 5 seconds.

    phibstest a authscheme=radius server=S1 service=VPN user=WindowsUser password=WindowsPassword timeout=120 
  4. If the connectivity is impaired, ensure that your firewall access list allows outbound RADIUS traffic over UDP port 1812.

  5. If the authentication between the firewall and the Arculix RADIUS Agent is failing, ensure that the shared secret is correct.


If you have questions or need assistance, contact SecureAuth Support.


Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.


All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.

Barracuda and Barracuda NextGen Firewall are trademarks of Barracuda Networks® and/or one or more of its subsidiaries, and may be registered in the United States Patent and Trademark Office and in other countries.

Microsoft and Active Directory are either registered trademarks or trademarks of Microsoft and/or one or more of its subsidiaries in the United States and/or other countries.