If require_message_authenticator == yes then non-EAP auth-requests generated by radtest will fail because currently radtest only supplies the Message-Authenticator if EAP is being performed. With modern Radius servers (e.g. FreeRADIUS) there is no harm in providing the Message-Authenticator attribute for non-EAP packets, in fact it's actually recommended in RFC 5080.
Therefore radtest should ALWAYS send the Message-Authenticator attribute. If it's EAP or if the server is configured with require_message_authenticator it must be present. If those conditions do not hold it's benign. However if require_message_authenticator is configured radtest will fail for non-EAP.
There are some instances where sending a message authenticator is destructive and will break things. For example where old RADIUS proxy severs (which have not implemented any special behaviour for Message-Authenticator) are part of a proxy chain, including Message-Authenticator in requests or responses which pass through those servers, will cause the requests/responses to be dropped by the parties on the other side. Just an FYI in case you thought the modification was completely benign :). -Arran Arran Cudbard-Bell a.cudbardb@networkradius.com Technical consultant and solutions architect 15 Ave. du Granier, Meylan, France +33 4 69 66 54 50