There’s been reports of RADIUS issues when dealing with the cloud because of out of order packets and fragmentation. On top of that it uses UDP and not TCP.
RADIUS (Remote Authentication Dial-In User Service) is a networking protocol commonly used for centralized authentication, authorization, and accounting management in computer networks. It operates over UDP (User Datagram Protocol) as its underlying transport protocol. While RADIUS is widely used and effective in many environments, there can be specific challenges when using RADIUS in public cloud environments due to the nature of UDP and potential issues with Maximum Transmission Unit (MTU) path.
UDP and MTU Path:
UDP is a connectionless protocol that does not provide guaranteed delivery or error checking. It has a fixed packet size limit called the Maximum Transmission Unit (MTU). In some scenarios, particularly with public cloud environments, network configurations or intermediaries may have lower MTU values, causing larger UDP packets to be fragmented or dropped.
Challenges:
- Fragmentation: Fragmented UDP packets can cause performance degradation, increased latency, and potential packet loss, impacting RADIUS communication reliability.
- MTU Discovery: In certain cloud environments, MTU discovery mechanisms might not work correctly or may not be supported, making it challenging to determine the optimal MTU size for RADIUS traffic.
RADsec with TLS and TCP:
RADsec is an extension to RADIUS that provides additional security by using Transport Layer Security (TLS) and TCP as the transport protocol instead of UDP. This approach can address some of the issues associated with UDP and MTU path in public cloud environments.
Benefits:
- Improved Reliability: By utilizing TCP, RADsec ensures reliable delivery of RADIUS messages, mitigating potential issues related to packet loss or fragmentation.
- Encryption and Authentication: TLS provides secure encryption and authentication for RADIUS communication, protecting sensitive user information and preventing unauthorized access or tampering.
- Compatibility: RADsec is backward compatible with existing RADIUS infrastructure, allowing gradual migration and deployment without disrupting the existing authentication infrastructure.
Considerations:
- Performance Overhead: The use of TCP and TLS introduces additional overhead compared to UDP, which may impact overall performance. Proper optimization and tuning may be required to ensure optimal performance in high-traffic scenarios.
- Configuration and Support: RADsec implementation requires appropriate configuration of RADIUS servers and clients to support TCP and TLS. Additionally, not all RADIUS clients or servers may support RADsec, so compatibility and support should be verified.
In summary, utilizing RADsec with TLS and TCP can address some of the challenges associated with RADIUS in public cloud environments, particularly related to UDP and MTU path issues. RADsec provides improved reliability, security, and compatibility. However, it’s important to consider the potential performance overhead and ensure compatibility and support among the RADIUS infrastructure components before implementing RADsec.