RADIUS client-server connection across internet

Hans-Christian Esperer hc at hcesperer.org
Fri Oct 11 16:34:36 CEST 2019

On Fri, Oct 11, 2019 at 10:11:42AM -0400, Alan DeKok wrote:
>   A RADIUS server is a critical piece of infrastructure, and should never be publicly reachable.

Hmm, if you use radius for a huge public site such as eduroam, couldn't
you argue that the RADIUS server is also publicly available here? Sure,
not directly via IP but through the wifi's authentication mechanism. At
least, to everyone within reach of an eduroam WIFI hotspot, which happen
to be quite a lot of people?

I fully agree with the encryption aspect, and perhaps a (D)DoS aspect,
but aside from that imho running freeradius on a public IP shouldn't be
something to forbid due to security concerns, if at the same time you
allow it to be used for authenticating publicly available wifis. Sure,
on the public IP range there are more people than there are people with
access to a wifi such as eduroam. But that's besides the point, or am I
missing something here?


More information about the Freeradius-Users mailing list