Hello everyone, We are currently working on implementing RADIUS Message-Authenticator for MIT krb5[1] according to RFC2865[2] and draft-ietf-radext-deprecating-radius-03[3]. We are not sure about what packet codes we should generate and expect Message-Authenticator to verify for. In draft-ietf-radext-deprecating-radius-03 we can read: Section 5.2.1: "Clients MUST add Message-Authenticator to all Access-Request packets." Section 5.2.4: "Servers MUST add Message-Authenticator as the first attribute in all responses to Access-Request packets. That is, all Access-Accept, Access-Reject, Access-Challenge, and Protocol-Error packets." However, I see that the FreeRADIUS server seems to be generating Message-Authenticators for additional packet codes[4]. We would like to enforce the use of Message-Authenticator as much as possible, but we are not sure if it is relevant for all packet codes. Could you explain why this specific code set triggers Message-Authenticator generation in the FreeRADIUS server? And do you have any recommendations about the cases where we should generate Message-Authenticators to ensure compatibility with FreeRADIUS? Thank you in advance, Julien Rische Red Hat, Inc. [1] https://github.com/krb5/krb5/pull/1370 [2] https://datatracker.ietf.org/doc/html/rfc2869 [3] https://datatracker.ietf.org/doc/html/draft-ietf-radext-deprecating-radius-0... [4] https://github.com/FreeRADIUS/freeradius-server/blob/4312a2df8e0829c87811f42...