On Oct 4, 2022, at 1:39 PM, Brian Julin <BJulin@clarku.edu> wrote:
Alan DeKok <aland@deployingradius.com> wrote:
Use RADIUS over TLS. It solves this problem, and is secure. I have a document which I will be working through the IETF as a new RADIUS standard. It will officially deprecate RADIUS/UDP, and require TLS transport for most situations. The document will also explain just how bad an idea it is to run RADIUS/UDP over the Internet. Do you like people breaking all of your security? No? Then don't run RADIUS/UDP over the Internet.
That surely cannot be emphasized enough. It's surprising people do it.
I just submitted a document to the IETF: https://datatracker.ietf.org/doc/html/draft-dekok-radext-deprecating-radius-... And wrote an article on it: https://networkradius.com/articles/2022/10/04/radius-insecurity.html From the IETF document: 4. All short Shared Secrets have been compromised Unless RADIUS packets are sent over a secure network (IPSec, TLS, etc.), administrators should assume that any shared secret of 8 characters or less has been immediately compromised. Administrators should assume that any shared secret of 10 characters or less has been compromised by an attacker with significant resources. Administrators should also assume that any private information (such as User-Password) which depends on such shared secrets has also been compromised. Further, if a User-Password has been sent over the Internet via RADIUS/UDP or RADIUS/TCP in the last decade, you should assume that password has been compromised by an attacker with sufficient resources.