Message Authenticator

Available from release 6.4.6

Require Message-Authenticator in RADIUS request

The Message-Authenticator attribute is an essential security mechanism that guarantees the integrity and authenticity of RADIUS packets. Enabling this feature ensures that the RADIUS server processes only those requests that contain a valid Message-Authenticator attribute, thereby mitigating risks such as packet replay attacks and tampering.

Respond with Message-Authenticator

Configuring the RADIUS server to include the Message-Authenticator attribute in its responses enhances the security of server replies, ensuring their integrity and authenticity. This is particularly important when interacting with clients that require validation of server responses.

Security Considerations

• Vulnerability Mitigation: This feature addresses the security vulnerability identified as CVE-2024-3596.
• Compliance: The Message-Authenticator attribute is mandatory for secure RADIUS communication as specified in RFC 2869.
• Enhanced Security: Enforcing both the requirement and inclusion of the Message-Authenticator attribute significantly strengthens the security posture of your RADIUS deployment.