Publication date: 2025-05-09
I'm doing authentication using FreeRadius. FreeRadius still got queried and replied as usual. However, the OpenWrt log indicated a new issue:
Fri May 9 08:37:20 2025 daemon.notice hostapd: No Message-Authenticator attribute found
Fri May 9 08:37:20 2025 daemon.notice hostapd: Incoming RADIUS packet did not have correct authenticator - dropped
Web search did not yield proper results at first. This seems to be poorly documented...
One obviously needs to add a Message-Authenticator attribute to the Radius response. But how? After some digging, the following solution became clear: One needs to just add a Message-Authenticator attribute with an arbitrary value to the Radius accept response. This "wrong" value gets corrected by FreeRadius automatically.
As my FreeRadius server uses a MariaDB database backend, I added the following record for each groupname in the radgroupreply
table like this:
groupname attribute op value
profile-guest Message-Authenticator = 0
That's it! Simple, once it becomes clear what to do...