Proxy Freeradius 3.0.11 remove Message-Authenticator

[Alan DeKok]

On Apr 8, 2016, at 9:00 AM, LABAT, Xavier <xavier.labat at axione.fr> wrote:
> We would like to upgrade our proxy RADIUS solution from Freeradius 2.2.6 to Freeradius 3.0.11. We collect and switch PPP authentication/accounting requests to our different customers.
> One of them reject all authentication request if they are sent with < Message-Authenticator > attribute. We would like to upgrade without asking any changes to our clients.

  Message-Authenticator was standardized in the year 2000.  If the customers can't support that, they have serious problems.

  But I think I know who the customer is.  And... they should upgrade to a modern RADIUS server.

> We configure the home_server with option "require_message_authenticator = no" in proxy.conf but < Message-Authenticator > attribute is still present in the proxy request.

  Yes.  That option was removed in 3.0.

> Even if it's recommanded, is it possible to remove < Message-Authenticator > attribute in the proxy request ?

  That's what the pre-proxy section is for:

pre-proxy {
	...
	update proxy {
		Message-Authenticator !* ANY
	}
	...
}

  And tell the customer to upgrade to a RADIUS server which has been written in the last 20 years.

  Alan DeKok.