radtest should always send Message-Authenticator

Arran Cudbard-Bell a.cudbardb at freeradius.org
Wed Sep 21 13:47:06 CEST 2011

> If require_message_authenticator == yes then non-EAP auth-requests
> generated by radtest will fail because currently radtest only supplies
> the Message-Authenticator if EAP is being performed. With modern
> Radius servers (e.g. FreeRADIUS) there is no harm in providing the
> Message-Authenticator attribute for non-EAP packets, in fact it's
> actually recommended in RFC 5080.
> Therefore radtest should ALWAYS send the Message-Authenticator
> attribute. If it's EAP or if the server is configured with
> require_message_authenticator it must be present. If those conditions
> do not hold it's benign. However if require_message_authenticator is
> configured radtest will fail for non-EAP.

There are some instances where sending a message authenticator is destructive and will break things. For example where old RADIUS proxy severs (which have not implemented any special behaviour for Message-Authenticator) are part of a proxy chain, including Message-Authenticator in requests or responses which pass through those servers, will cause the requests/responses to be dropped by the parties on the other side.

Just an FYI in case you thought the modification was completely benign :).


Arran Cudbard-Bell
a.cudbardb at networkradius.com

Technical consultant and solutions architect

15 Ave. du Granier, Meylan, France
+33 4 69 66 54 50

More information about the Freeradius-Devel mailing list