I have a couple of small-business routers (Cisco RV120W) that I use at some of our smaller offices configured with a site-to-site VPN to allow connectivity for devices & such between my main office and the remote endpoints. The RV120W does a fine job of this... and I really can't complain too much. Users have now been asking about setting up WIFI... and having played with the RV120W quite a bit... I know it supports "enterprise authentication" with wpa2. After setting it up and trying to make it work... I quickly discovered that the router isn't sending the RADIUS packets through the VPN tunnel... (packets go out the WAN interface for some dumb reason.)
My last 3 major issues I brought up with Cisco... ended up with a "Won't Fix" ... (even though they admitted it was a bug)... so I don't really feel like battling this problem with them. So, now I'm reconsidering how to approach this problem to make it work despite limitations of the device. As a last ditch effort... I may end up putting a dedicated AP on site behind the router... but I would rather not have yet-another device to maintain at each site.
TL;DR:
How safe is it to throw RADIUS packets over the public internet? Potentially, could the data be intercepted and decrypted? Is there a potential for a replay attack of sorts? Are there other concerns I should be aware of?
Here is the way I see it then. You've called their support and they state there's nothing they can do. IMO this is a routing issue of some sort. I don't know how much you can configure on your device (I presume it doesn't have the cisco IOS running on it). Anyway, let's leave that aside and assume you can't. The option I see are as follows.
Are you using PAP? using CHAP would lower some risk. Also what type of WAN are we talking?
If the WAN is to your ISP or a shared network? On a closed network meaning a transport that segregates traffic via VLAN or subnet, or directly to public internet with VLAN or subneting, its not as risky. Going across a more open network using PAP is more risky. Also using PPTP vs XAUTH would be an added level of risky.
Radius servers, should be able, manage spoofed Radius Authe/Autho packets over any network from a malicious nas.
Configuring something like nas shared key, duplicate login, client(nas) id, nas type, packet formating. These combined with the encryption will make it very difficult, but not impossible, to used maliciously.