This article provides insights into an error message found in the RADIUS agent logs:
yyyy-mm-dd hh:mm:ss UTC [<servername>, pool-#-thread-##] : WARN - Message-Authenticator attribute was expected but not found in the request.
Okta RADIUS Agent versions 2.24.0+ and On-Prem MFA Agent versions 1.8.0+ now expect or require (depending on configuration) a Message-Authenticator RADIUS Attribute. The Message-Authenticator attribute is used to sign Access-Requests to prevent spoofing of Access-Requests, Access-Accept, Access-Reject or Access-Challenge packets using EAP or PAP authentication methods.
The above message may appear commonly after updating Okta RADIUS Agent from versions before 2.24.0 or On-Prem MFA Agent versions before 1.8.0 to the latest releases and may cause end-users to be unable to authenticate.
- RADIUS Agent
- Okta On-Prem MFA Agent (Formerly RSA Agent)
This "WARN" level message indicates that an authentication attempt was made against the RADIUS Agent without including a Message-Authenticator RADIUS attribute - When it is expected to be included.
The "Message-Authenticator attribute was expected but not found in the request" log usually requires remediation. For example, if end-users are unable to successfully authenticate after an upgrade of either the RADIUS or On-Prem MFA Agent, it will be required either:
- To upgrade the downstream integration
If the downstream integration is not presently configured to send a Message-Authenticator attribute to the Okta RADIUS Agents, it will need to be reconfigured to include the Message-Authenticator attribute or upgraded so that they can support message-authenticator.
-
- MFA On-Prem Agent - This would mean updating or configuring services like the RSA Authentication Manager for RSA SecurIDs.
- Support for Message-Authenticator (MA) was added to RSA Authentication Manager in 8.7 SP2 Patch 3.
- See page 6 of the RSA Authentication Manager Patch Notes.
- Support for Message-Authenticator (MA) was added to RSA Authentication Manager in 8.7 SP2 Patch 3.
- RADIUS Agent - This would be a Gateway/VPN device (like Cisco ASA, F5 VPN, etc.) or any RADIUS-dependent service requesting authentication - Okta RADIUS Integrations.
- MFA On-Prem Agent - This would mean updating or configuring services like the RSA Authentication Manager for RSA SecurIDs.
- To configure the Message-Authenticator Options in Okta
NOTE: Disabling the "Require Message-Authenticator" is not recommended. The Message-Authenticator was introduced to mitigate "Blast-RADIUS" security vulnerabilities, so disabling implies a security risk.
-
- MFA On-Prem Agent - At the moment, there is no way to toggle or disable the Message-Authenticator requirement for the MFA On-Prem Agent on version 1.8.0+.
- Upgrade RSA Services to support the use of Message-Authenticator.
- RADIUS Agent - Presently, the option to require the Message-Authenticator attribute is configurable from the RADIUS Application.
- Navigate to the RADIUS Application > Authentication tab and check under the Authentication Protocol settings.
- MFA On-Prem Agent - At the moment, there is no way to toggle or disable the Message-Authenticator requirement for the MFA On-Prem Agent on version 1.8.0+.
