[TristanBall]

How common are RADIUS deployments that aren't EAP/PEAP based though?

IDK About anyone else but for a very long time anything md5 has been in the same mental bucket as zip or office documents passwords.. a discouragement for the casual user and accidental exposure but not actually secure against any kind of determined attack. ( the accuracy of my mental buckets is perhaps a separate issue )

Although I suppose lots of deployments still go with whatever lowest friction, so maybe lots?

[bcrl]

Realistically, it doesn't matter. My ISP uses RADIUS for authenticating customers in the access network. If someone manages to intercept messages in the middle of my network, I've got bigger problems. Even if someone does inject in the middle, the worst case is that they can forge packets of residential end users. Those customers are already untrusted, so it really does not matter.

[bjterry]

> Those customers are already untrusted, so it really does not matter.

Perhaps it doesn't matter to the health of your network, but if it leads to a customer's account being disabled due to incorrectly assigned abuse, surely it would matter to them.

[bcrl]

How in tarnation would they do that? To inject traffic into the network, the attacker would have to compromise the access network. The RADIUS attack is not going to accomplish that.

[bjterry]

I mean, I know nothing about your network. If your network access servers are within a datacenter under your exclusive physical control, perhaps it's not an issue since it requires a man-in-the-middle position. Something like a neighborhood cabinet DSLAM could be open to abuse?