AD-integration working well - questions about risk/exposure and related mechanisms

[Dag B]

So, after some fiddling, I can now authenticate users of our network 
gear (network admins) with AD, via freeradius. Thank you to any and all 
who have made that possible. It is truly appreciated.


Arriving here, I just wanted to ask if there is any document discussing 
any additional risk or exposure for the AD-accounts by doing this.

Note: I am not trying to imply there is one, nor am I trying to sell 
five feathers as whole chicken in a bag or however that analogy goes. I 
am merely acknowledging my relative ignorance w.r.t. how AD and RADIUS 
works and what security mechanisms it has in place for preventing abuse.

 From the top of my head:

- Can someone use freeradius for unlimited tries at guessing an AD password?

- If the radius secret becomes known to a bad actor, could they set up a 
'farm' of radius clients in the defined client address spaces to bypass 
rate limits?

- And likewise, could they instrument their radius client to reveal more 
information than we intend to?

- Is there a better way to define clients than defining static hosts or 
networks in clients.conf? (We have an IPAM with an API. Could we employ 
this to only permit radius requests from known (expected) radius clients?)


And I am certain there are more questions I should be asking. Conscious 
Incompetence and all that jazz....


Thanks,


Dag B