Help
FortiPAM
FortiPAM allows you to protect, isolate and secure privileged account credentials, manage and control privileged user access, and monitor and record privileged account activity.
tbarua
Staff
Staff

Created on ‎02-25-2025 04:18 AM Edited on ‎05-20-2025 12:27 AM By Community Manager

Article Id 378589

Troubleshooting Tip: How to solve the 'Packet does not contain required Message-Authenticator attribute' error while connecting to FortiAuthenticator as a RADIUS server

Description

 

This article describes how to solve the error 'Packet does not contain required Message-Authenticator attribute' while connecting to FortiAuthenticator as a RADIUS Server.

 

Scope

 

FortiPAM, FortiAuthenticator v6.5.6+.

 

Solution

 

FortiAuthenticator as a RADIUS server can be added in FortiPAM. See RADIUS servers | FortiPAM 1.5.0 | Fortinet Document Library for reference.

 

Test connectivity can fail while connecting to FortiAuthenticator with the following error: 

 

FPAM_RS.png

 

The following steps need to be checked to connect to the RADIUS server successfully.

 

Step 1: Enable the FortiAuthenticator RADIUS extended debug log.

Go to https://<FortiAuthenticator_ip_or_fqdn>/debug -> RADIUS -> Authentication -> Max.log files size = 500MB and select Enter debug mode, then select Enter detailed debug mode.

 

2025-02-24T17:03:08.157763+01:00 FortiAuthenticator radiusd[3754]: Receive - Insecure packet from host 10.5.141.134: Packet does not contain required Message-Authenticator attribute
2025-02-24T17:03:08.157805+01:00 FortiAuthenticator radiusd[3754]: Ready to process requests
2025-02-24T17:03:26.056844+01:00 FortiAuthenticator radiusd[3754]: Receive - Insecure packet from host 10.5.141.134: Packet does not contain required Message-Authenticator attribute

Step 2: Connect FortiAuthenticator via PuTTY and check the status of the Required Message-Authenticator attribute.

 

diagnose authentication require-radius-client-message-authenticator
Currently: enabled

 

The RADIUS client requires the Message-Authenticator attribute status since the status is enabled. Notably, this issue relates to recent mitigations for the Blast RADIUS vulnerability (CVE-2024-3596) and related documents are added at the end of the KB. 

 

Step 3: Disable require-radius-client-message-authenticator in FortiAuthenticator:

 

diagnose authentication require-radius-client-message-authenticator disable
Mode changed from enabled to disabled

 

Note: This is a global change and can negatively affect other RADIUS clients present on FortiAuthenticator. For details, refer to the related article.

Troubleshooting Tip: RADIUS authentication failure after the firmware upgrade to v7.2.10/v7.4.5/v7.6...

 

Step 4: Test the RADIUS connectivity again in FortiPAM. It will show a Successful Connection Status.

 

FPAM_RS1.png

 

Additionally, run packet capture onthe  FortiAuthenticator side to see if client (FortiPAM) is sending Message-Authenticator attribute or not.

 

Related article:

Troubleshooting Tip: RADIUS authentication failure after the firmware upgrade to v7.2.10/v7.4.5/v7.6...

687
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.