RADIUS client-server connection across internet
Matthew Schumacher
matt.s at aptalaska.net
Fri Oct 11 19:12:26 CEST 2019
There are a lot of little boxes you can deploy to create tunnels and
encrypt this traffic.
This box:
https://mikrotik.com/product/hex_s
Is only $60 on amazon and will do 450Mbps/40kpps of AES-128 in an IPsec
tunnel.
Absolutely agree with Alan, you should tunnel this with very few or no
exceptions.
schu
On 10/11/19 7:38 AM, Alan DeKok wrote:
> On Oct 11, 2019, at 10:34 AM, Hans-Christian Esperer <hc at hcesperer.org> wrote:
>> On Fri, Oct 11, 2019 at 10:11:42AM -0400, Alan DeKok wrote:
>>> A RADIUS server is a critical piece of infrastructure, and should never be publicly reachable.
>> Hmm, if you use radius for a huge public site such as eduroam, couldn't
>> you argue that the RADIUS server is also publicly available here? Sure,
>> not directly via IP but through the wifi's authentication mechanism. At
>> least, to everyone within reach of an eduroam WIFI hotspot, which happen
>> to be quite a lot of people?
> Sending WiFi packets (i.e. EAP) is a bit different than sending RADIUS packets.
>
> Security isn't about doing one magical thing to make your systems secure. It's about doing every little thing to reduce the attack surface.
>
> For RADIUS, there is simply no good reason to make the servers publicly available. So they shouldn't be publicly available.
>
>> I fully agree with the encryption aspect, and perhaps a (D)DoS aspect,
> Absolutely a DoS aspect.
>
>> but aside from that imho running freeradius on a public IP shouldn't be
>> something to forbid due to security concerns, if at the same time you
>> allow it to be used for authenticating publicly available wifis. Sure,
>> on the public IP range there are more people than there are people with
>> access to a wifi such as eduroam. But that's besides the point, or am I
>> missing something here?
> You can choose which security tradeoffs you make for the systems you administer. My opinion is that in general, there's no reason to make RADIUS servers publicly available.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list