RADIUS client-server connection across internet
aland at deployingradius.com
Fri Oct 11 16:38:48 CEST 2019
On Oct 11, 2019, at 10:34 AM, Hans-Christian Esperer <hc at hcesperer.org> wrote:
> On Fri, Oct 11, 2019 at 10:11:42AM -0400, Alan DeKok wrote:
>> A RADIUS server is a critical piece of infrastructure, and should never be publicly reachable.
> Hmm, if you use radius for a huge public site such as eduroam, couldn't
> you argue that the RADIUS server is also publicly available here? Sure,
> not directly via IP but through the wifi's authentication mechanism. At
> least, to everyone within reach of an eduroam WIFI hotspot, which happen
> to be quite a lot of people?
Sending WiFi packets (i.e. EAP) is a bit different than sending RADIUS packets.
Security isn't about doing one magical thing to make your systems secure. It's about doing every little thing to reduce the attack surface.
For RADIUS, there is simply no good reason to make the servers publicly available. So they shouldn't be publicly available.
> I fully agree with the encryption aspect, and perhaps a (D)DoS aspect,
Absolutely a DoS aspect.
> but aside from that imho running freeradius on a public IP shouldn't be
> something to forbid due to security concerns, if at the same time you
> allow it to be used for authenticating publicly available wifis. Sure,
> on the public IP range there are more people than there are people with
> access to a wifi such as eduroam. But that's besides the point, or am I
> missing something here?
You can choose which security tradeoffs you make for the systems you administer. My opinion is that in general, there's no reason to make RADIUS servers publicly available.
More information about the Freeradius-Users