On Oct 10, 2019, at 3:34 AM, Aaron Peschel <aaron.peschel@gmail.com> wrote:
I'm looking to connect a Point to Site VPN endpoint to a RADIUS server across the internet, and I'm looking for some guidance on whether my understanding is correct.
My understanding is having a RADIUS server listening directly on the internet would be bad security-wise, and should not be done, is this correct?
Yes.
Instead, a better architecture would be to connect the RADIUS server and client over a secured channel, like a Site to Site VPN connection.
Yes.
Is my understanding correct here? Would it be fine to connect a client to the server over the internet directly? Is there an alternative simpler solution that I am overlooking?
RADIUS over TLS. FreeRADIUS supports it, as does radsecproxy. Alan DeKok.