Aaron Peschel <aaron.peschel@gmail.com> wrote:
I'm looking to connect a Point to Site VPN endpoint to a RADIUS server across the internet, and I'm looking for some guidance on whether my understanding is correct.
My understanding is having a RADIUS server listening directly on the internet would be bad security-wise, and should not be done, is this correct?
Depends on what protocol is running inside the RADIUS session. If it is a naked CHAP or something like that, then this would not be advisable. If it is an EAP session carrying an encrypted tunnel, we do this all the time with federated authentication systems such as eduroam, which is safe as long as certificate validation is performed. (If you only perform validation on one side and the client is not validated, then extra hardening of the RADIUS server is probably in order... we actually have an FreeRADIUS process instance dedicated to receiving EAP sessions which runs at lower privilege and aggressively strips all unnecessary TLVs from a session before allowing it through to the back end.)
Instead, a better architecture would be to connect the RADIUS server and client over a secured channel, like a Site to Site VPN connection.
This design is also in use. Some NASes/clients support RADSec for end-to-end certificate-validated TLS tunnels to carry RADIUS traffic. Other devices support IPSec for all control plane traffic including RADIUS. Another option if your architecture allows for it is to have the client talk to a local RADIUS relay that supports RADSEC and can proxy the RADIUS request over a TLS tunnel.