https://datatracker.ietf.org/doc/draft-dekok-radext-deprecating-radius/

• warn secrets length <= 10
• check max length of shared secret
• check if 0-length shared secret is rejected

RADIUS implementations MUST support shared secrets of at least 32
octets, and SHOULD support shared secrets of 64 octets.
Implementations MUST warn administrators that the shared secret is
insecure if it is 10 octets or less in length.

The secret MUST NOT
be empty (length 0)

• check if message-authenticator can be added by proxy if missing from RADIUS client
• always add Message-Authenticator if missing on UDP or TCP Access-Request (toward server)

This document therefore requires that RADIUS clients MUST include the
Message-Authenticator in all Access-Request packets when UDP or TCP
transport is used.

• ensure memory of password attribute is properly erased when freeing memory

Client and server implementations SHOULD use programming techniques
to securely wipe passwords from memory when they are no longer
needed. --> user password attribute when re-encrypting it!

• check if/how tls re-keying can be triggered

TLS connections should be rekeyed or reopened after certain amount of traffic volume or time based.
if replaced, make sure all outstanding old requests are answered before closing the connection

• update documentation: warn about UDP/TCP outside secure networks

Only use UDP/TCP ins secure environment -> known to be safe from eavesdroppers. Maybe update documentation?