On 22/08/24 08:36 PM, Bernhard Schmidt wrote: > FTR, I've tested the binaries on our radius setup today and they worked as > expected.
Unfortunately I'm still lacking time, but today I had two unexpected consequences. A clients.conf entry spanning large subnets was upgraded automatically from require_message_authenticator auto -> yes due to the first package being received. Consequently messages from another Radius client within the same clients.conf entry was dropped silently. So far as expected, but I would have assumed FreeRADIUS to log an error when a request without Message-Authenticator attribute comes in and it is (auto-)configured to expect one. But I did not see anything. Is this correct? Another thing to watch out, although I would not want it to be in the official changelog/news, Checkpoint Firewalls are known to be broken by FreeRADIUS returning a Message-Authenticator attribute, see https://support.checkpoint.com/results/sk/sk42184 . Apparently there is an internal workaround available, but only to paying users. I could not find a quick way to disable FreeRADIUS always _sending_ the Message-Authenticator header. All of that only quickly tested on the Bullseye package, I had no time yet to dig deeper. Bernhard
signature.asc
Description: PGP signature
