On Oct 11, 2019, at 9:45 AM, Hans-Christian Esperer <hc@hcesperer.org> wrote:
On Thu, Oct 10, 2019 at 09:01:08AM -0400, Alan DeKok wrote:
My understanding is having a RADIUS server listening directly on the internet would be bad security-wise, and should not be done, is this correct?
Yes.
Yes, because the communication between radius server and radius client (AP, switch,...) would be unencrypted? Or yes, because you consider the radius server to have a high attack surface and thus should never be publicly reachable, even though access to it is controlled via the clients.conf file?
Both. There is simply no reason to send RADIUS traffic unencrypted when a secure alternative exists. A RADIUS server is a critical piece of infrastructure, and should never be publicly reachable. Alan DeKok.