Skip to main content
tbarua
Staff
tbarua
Staff
February 25, 2025

Troubleshooting Tip: How to solve the 'Packet does not contain required Message-Authenticator attribute' error while connecting to FortiAuthenticator as a RADIUS server

  • February 25, 2025
  • 0 replies
  • 919 views
Description

 

This article describes how to solve the error 'Packet does not contain required Message-Authenticator attribute' while connecting to FortiAuthenticator as a RADIUS Server.

 

Scope

 

FortiPAM, FortiAuthenticator v6.5.6+.

 

Solution

 

FortiAuthenticator as a RADIUS server can be added in FortiPAM. See RADIUS servers | FortiPAM 1.5.0 | Fortinet Document Library for reference.

 

Test connectivity can fail while connecting to FortiAuthenticator with the following error: 

 

FPAM_RS.png

 

The following steps need to be checked to connect to the RADIUS server successfully.

 

Step 1: Enable the FortiAuthenticator RADIUS extended debug log.

Go to https://<FortiAuthenticator_ip_or_fqdn>/debug -> RADIUS -> Authentication -> Max.log files size = 500MB and select Enter debug mode, then select Enter detailed debug mode.

 

2025-02-24T17:03:08.157763+01:00 FortiAuthenticator radiusd[3754]: Receive - Insecure packet from host 10.5.141.134: Packet does not contain required Message-Authenticator attribute
2025-02-24T17:03:08.157805+01:00 FortiAuthenticator radiusd[3754]: Ready to process requests
2025-02-24T17:03:26.056844+01:00 FortiAuthenticator radiusd[3754]: Receive - Insecure packet from host 10.5.141.134: Packet does not contain required Message-Authenticator attribute

Step 2: Connect FortiAuthenticator via PuTTY and check the status of the Required Message-Authenticator attribute.

 

diagnose authentication require-radius-client-message-authenticator
Currently: enabled

 

The RADIUS client requires the Message-Authenticator attribute status since the status is enabled. Notably, this issue relates to recent mitigations for the Blast RADIUS vulnerability (CVE-2024-3596) and related documents are added at the end of the KB. 

 

Step 3: Disable require-radius-client-message-authenticator in FortiAuthenticator:

 

diagnose authentication require-radius-client-message-authenticator disable
Mode changed from enabled to disabled

 

Note: This is a global change and can negatively affect other RADIUS clients present on FortiAuthenticator. For details, refer to the related article.

Troubleshooting Tip: RADIUS authentication failure after the firmware upgrade to v7.2.10/v7.4.5/v7.6.1

 

Step 4: Test the RADIUS connectivity again in FortiPAM. It will show a Successful Connection Status.

 

FPAM_RS1.png

 

Additionally, run packet capture onthe  FortiAuthenticator side to see if client (FortiPAM) is sending Message-Authenticator attribute or not.

 

Related article:

Troubleshooting Tip: RADIUS authentication failure after the firmware upgrade to v7.2.10/v7.4.5/v7.6.1

Terms & ConditionsAccessibility statement