On Jul 16, 2024, at 3:25 AM, James Fan <polysorb@gmail.com> wrote:
I upgraded to 3.2.5 and added the following configurations to the security section in the radius.conf.
require_message_authenticator = yes limit_proxy_state = yes
That's good.
I've noticed an unexpected behavior. When I send an access request without the Message-Authenticator but with the Proxy-State, I still get an access rejected response rather than the expected access discarded. Could you please clarify if this is the intended behavior?
I am using the dynamic clients. Does that override the client configs? I don't add the &FreeRADIUS-Client-Require-MA setting.
For now, you will need to add a &FreeRADIUS-Client-Require-MA attribute for dynamic clients. I'll double-check that for a future 3.2.6 release. Alan DeKok.