On Sep 18, 2024, at 12:49 AM, George Benjin <george.benjin@gmail.com> wrote:
You need to be very careful running a RADIUS server in Azure if you're using RADIUS/UDP.
Azure has a network security feature on by default that drops fragmented UDP packets that arrive out of order. This negatively impacts RADIUS/UDP traffic.
Yes, that's a serious issue. The solution would be to use RADIUS/TLS.
Another thing to be wary of is setting 'tls_max_version' to 1.3. Windows 11 supports TLS 1.3 by default for EAP-TLS etc but does not yet support session resumption when using this protocol (see https://learn.microsoft.com/en-us/windows-server/networking/technologies/ext...). It's worth dropping the Max version to 1.2.
I had discussions with Microsoft a year or so about this. They were very happy to tell me that they had decided to not implement session resumption for TLS 1.3. They were not happy when I explained it was 100% necessary for many environments. A year later, "yeah, we'll fix it eventually". That's not useful. Alan DeKok.