RADIUS, LDAP, DIAMETER, sflow, TACAS+, SNMP (all versions), UPS, lights-out management, and similar should never-ever be deployed to public-facing networks. These should remain segregated on internal VLANs used for infrastructure only.
For wireless 802.1x, use clients certs; managed campus APs may still need a tunnel to a RADIUS box, but that's okay.
> Our recommended short-term mitigation for implementers and vendors is to mandate that clients and servers always send and require Message-Authenticator attributes for all requests and responses. For Access-Accept or Access-Reject responses, the Message-Authenticator should be included as the first attribute. Patches implementing this mitigation have been implemented by all RADIUS implementations that we are aware of. This guidance is being put into an upcoming RADIUS RFC.
Paper:
> "Radius/UDP Considered Harmful"
Sharon Goldberg, Miro Haller, Nadia Heninger, Mike Milano, Dan Shumow, Marc Stevens, and Adam Suhl
Sharon Goldberg is active in the research areas of Internet Security, such as BGP and such.
Nadia Heningner is active in cryptography and network security, I first heard about her from her work on factorable.net.
Marc Stevens has been attacking cryptographic hash implementations for ages and has done profound work, see shattered.io although before that he was attacking MD5 I believe.
For wireless 802.1x, use clients certs; managed campus APs may still need a tunnel to a RADIUS box, but that's okay.