I have a couple of small-business routers (Cisco RV120W) that I use at some of our smaller offices configured with a site-to-site VPN to allow connectivity for devices & such between my main office and the remote endpoints. The RV120W does a fine job of this... and I really can't complain too much. Users have now been asking about setting up WIFI... and having played with the RV120W quite a bit... I know it supports "enterprise authentication" with wpa2. After setting it up and trying to make it work... I quickly discovered that the router isn't sending the RADIUS packets through the VPN tunnel... (packets go out the WAN interface for some dumb reason.)
My last 3 major issues I brought up with Cisco... ended up with a "Won't Fix" ... (even though they admitted it was a bug)... so I don't really feel like battling this problem with them. So, now I'm reconsidering how to approach this problem to make it work despite limitations of the device. As a last ditch effort... I may end up putting a dedicated AP on site behind the router... but I would rather not have yet-another device to maintain at each site.
TL;DR:
How safe is it to throw RADIUS packets over the public internet? Potentially, could the data be intercepted and decrypted? Is there a potential for a replay attack of sorts? Are there other concerns I should be aware of?