RADIUS, LDAP, DIAMETER, sflow, TACAS+, SNMP (all versions), UPS, lights-out management, and similar should never-ever be deployed to public-facing networks. These should remain segregated on internal VLANs used for infrastructure only.<p>For wireless 802.1x, use clients certs; managed campus APs may still need a tunnel to a RADIUS box, but that's okay.
Mitigation:<p>> Our recommended short-term mitigation for implementers and vendors is to mandate that clients and servers always send and require Message-Authenticator attributes for all requests and responses. For Access-Accept or Access-Reject responses, the Message-Authenticator should be included as the first attribute. Patches implementing this mitigation have been implemented by all RADIUS implementations that we are aware of. This guidance is being put into an upcoming RADIUS RFC.<p>Paper:<p>> "Radius/UDP Considered Harmful"
<i>Sharon Goldberg, Miro Haller, Nadia Heninger, Mike Milano, Dan Shumow, Marc Stevens, and Adam Suhl</i><p>> <a href="https://www.blastradius.fail/pdf/radius.pdf" rel="nofollow">https://www.blastradius.fail/pdf/radius.pdf</a>
Write up on the Cloudflare blog: <a href="https://blog.cloudflare.com/radius-udp-vulnerable-md5-attack" rel="nofollow">https://blog.cloudflare.com/radius-udp-vulnerable-md5-attack</a>