RADIUS client-server connection across internet

Matthew Schumacher matt.s at aptalaska.net
Fri Oct 11 19:12:26 CEST 2019


There are a lot of little boxes you can deploy to create tunnels and 
encrypt this traffic.

This box:
https://mikrotik.com/product/hex_s

Is only $60 on amazon and will do 450Mbps/40kpps of AES-128 in an IPsec 
tunnel.

Absolutely agree with Alan, you should tunnel this with very few or no 
exceptions.

schu

On 10/11/19 7:38 AM, Alan DeKok wrote:
> On Oct 11, 2019, at 10:34 AM, Hans-Christian Esperer <hc at hcesperer.org> wrote:
>> On Fri, Oct 11, 2019 at 10:11:42AM -0400, Alan DeKok wrote:
>>>   A RADIUS server is a critical piece of infrastructure, and should never be publicly reachable.
>> Hmm, if you use radius for a huge public site such as eduroam, couldn't
>> you argue that the RADIUS server is also publicly available here? Sure,
>> not directly via IP but through the wifi's authentication mechanism. At
>> least, to everyone within reach of an eduroam WIFI hotspot, which happen
>> to be quite a lot of people?
>    Sending WiFi packets (i.e. EAP) is a bit different than sending RADIUS packets.
>
>    Security isn't about doing one magical thing to make your systems secure.  It's about doing every little thing to reduce the attack surface.
>
>    For RADIUS, there is simply no good reason to make the servers publicly available.  So they shouldn't be publicly available.
>
>> I fully agree with the encryption aspect, and perhaps a (D)DoS aspect,
>    Absolutely a DoS aspect.
>
>> but aside from that imho running freeradius on a public IP shouldn't be
>> something to forbid due to security concerns, if at the same time you
>> allow it to be used for authenticating publicly available wifis. Sure,
>> on the public IP range there are more people than there are people with
>> access to a wifi such as eduroam. But that's besides the point, or am I
>> missing something here?
>    You can choose which security tradeoffs you make for the systems you administer.  My opinion is that in general, there's no reason to make RADIUS servers publicly available.
>
>    Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list