[EXT] RADIUS client-server connection across internet

[Brian Julin]

Aaron Peschel <aaron.peschel at gmail.com> wrote:

> I'm looking to connect a Point to Site VPN endpoint to a RADIUS server
> across the internet, and I'm looking for some guidance on whether my
> understanding is correct.

> My understanding is having a RADIUS server listening directly on the
> internet would be bad security-wise, and should not be done, is this
> correct?

Depends on what protocol is running inside the RADIUS session.  If it is
a naked CHAP or something like that, then this would not be advisable.
If it is an EAP session carrying an encrypted tunnel, we do this all the
time with federated authentication systems such as eduroam, which is safe
as long as certificate validation is performed.  (If you only perform validation on
one side and the client is not validated, then extra hardening of the RADIUS
server is probably in order... we actually have an FreeRADIUS process instance
dedicated to receiving EAP sessions which runs at lower privilege and aggressively
strips all unnecessary TLVs from a session before allowing it through to the back end.)

> Instead, a better architecture would be to connect the RADIUS server and
> client over a secured channel, like a Site to Site VPN connection.

This design is also in use.  Some NASes/clients support RADSec for end-to-end
certificate-validated TLS tunnels to carry RADIUS traffic.  Other devices
support IPSec for all control plane traffic including RADIUS.  Another option if
your architecture allows for it is to have the client talk to a local RADIUS relay
that supports RADSEC and can proxy the RADIUS request over a TLS tunnel.