RADIUS servers could be hardened by only allowing certain IP addresses to connect. As of now the radius client used e.g. for L2TP VPN auth will bind to address *. Incoming connections to the freeradius server will use the nearest interface IP address pointing to the radius server - making it error prone on OSPF networks when a link fails.
Instead of allowing all IPs from a router to connect to the RADIUS server, we should implement support for a source-ip node.
Freeradius-client used in VyOS 1.2 supports binding to an IP address:
# local address from which radius packets have to be sent bindaddr *
Cisco uses something similar in IOS:
BR1.xxx(config)#ip radius ? source-interface Specify interface for source address in RADIUS packets BR1.xxx(config)# ip radius source-interface loopback0