Securing RADIUS Messages with Message-Authenticator Attribute
For RADIUS-based user authentication, you can configure the device to secure RADIUS messages, using RADIUS attribute 80 (Message-Authenticator). This attribute ensures the integrity of RADIUS packets, safeguarding against unauthorized access (login) to the device (e.g., "man-in-the-middle" attacks).
You can configure this feature for incoming and outgoing RADIUS messages:
| ■ | Outgoing RADIUS Messages: You can enable the device (acting as a Network Access Server / NAS or RADIUS client) to include the Message-Authenticator attribute in all Access-Request RADIUS packets that it sends to the RADIUS server. This is applicable only to the Password Authentication Protocol (PAP) user authentication method. To enable this functionality, use the ini file parameter [RadiusPapRequireMsgAuthTx] or CLI command rad-pap-req-msg-auth-tx. |
For RADIUS-based SIP message authentication, this parameter is not needed as it uses the digest protocol, which inherently includes the Message-Authenticator attribute.
| ■ | Incoming RADIUS Messages: You can enable the device to require the presence of the Message-Authenticator attribute in incoming Accept-Accept RADIUS messages received from the RADIUS server. If the attribute is not present, the device rejects the message and denies user login. This functionality is applicable to Digest or PAP authentication methods. To enable this functionality, use the ini file parameter [RadiusRequireMsgAuthRx] or CLI command rad-req-msg-auth-rx. |