Message Authenticator attribute

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Message Authenticator attribute

When you configure IAS for a RADIUS client, you configure the IP address of the client. If an incoming RADIUS Access-Request message does not originate from at least one of the IP addresses of configured clients, IAS automatically discards the message, providing protection for an IAS server. However, source IP addresses can be spoofed (substituted with other IP addresses).

To provide protection from spoofed Access-Request messages and RADIUS message tampering, each RADIUS message can be additionally protected with the RADIUS Message Authenticator attribute, which is described in RFC 2869, "RADIUS Extensions."

The RADIUS Message Authenticator attribute is a Message Digest 5 (MD5) hash of the entire RADIUS message. The shared secret is used as the key. If the RADIUS Message Authenticator attribute is present, it is verified. If it fails verification, the RADIUS message is discarded. If the client settings require the Message Authenticator attribute and it is not present, the RADIUS message is discarded.

For information about how to configure the use of the Message Authenticator attribute for RADIUS clients of an IAS server, see Configure the Message Authenticator attribute and shared secret. For information about how to configure the use of the Message Authenticator attribute for the Routing and Remote Access service, see Use RADIUS authentication.