RADIUS client-server connection across internet

Alan DeKok aland at deployingradius.com
Fri Oct 11 16:11:42 CEST 2019


On Oct 11, 2019, at 9:45 AM, Hans-Christian Esperer <hc at hcesperer.org> wrote:
> 
> On Thu, Oct 10, 2019 at 09:01:08AM -0400, Alan DeKok wrote:
>>> My understanding is having a RADIUS server listening directly on the
>>> internet would be bad security-wise, and should not be done, is this
>>> correct?
>> 
>>  Yes.
> 
> Yes, because the communication between radius server and radius client
> (AP, switch,...) would be unencrypted? Or yes, because you consider the
> radius server to have a high attack surface and thus should never be
> publicly reachable, even though access to it is controlled via the
> clients.conf file?

  Both.  There is simply no reason to send RADIUS traffic unencrypted when a secure alternative exists.

  A RADIUS server is a critical piece of infrastructure, and should never be publicly reachable.

  Alan DeKok.




More information about the Freeradius-Users mailing list