Here is a small 1-line patch for radtest. This was originally filed as a bug by the NSA (https://bugzilla.redhat.com/show_bug.cgi?id=630072). It would be nice if this could be applied to 2.1.12 before it's released. The patch is attached in git format and can be applied with either "git am" or "git apply <attachement>" if you save the attachment. I wrote up the justification for the change: ------------------------------------------------------------------ Originally Message-Authenticator was introduced to provide message integrity for EAP messages and originally the Message-Authenticator attribute was only required for EAP messages. But then RFC 5080 came along and suggested Message-Authenticator always be sent as best practice. Any Access-Request packet that performs authorization checks, including Call Check, SHOULD contain a Message-Authenticator attribute. RFC 5080 then goes on to say: ... server implementations may be configured to require the presence of a Message-Authenticator attribute in Access-Request packets. Requests not containing a Message-Authenticator attribute MAY then be silently discarded. The raddb/clients.conf has this configuration option to satisfy the above suggestion in RFC 5080: require_message_authenticator = no|yes If require_message_authenticator == yes then non-EAP auth-requests generated by radtest will fail because currently radtest only supplies the Message-Authenticator if EAP is being performed. With modern Radius servers (e.g. FreeRADIUS) there is no harm in providing the Message-Authenticator attribute for non-EAP packets, in fact it's actually recommended in RFC 5080. Therefore radtest should ALWAYS send the Message-Authenticator attribute. If it's EAP or if the server is configured with require_message_authenticator it must be present. If those conditions do not hold it's benign. However if require_message_authenticator is configured radtest will fail for non-EAP. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/