OpenWrt and FreeRadius: No Message-Authenticator attribute found

Publication date: 2025-05-09

Issue: After upgrade to OpenWrt 24.10, my devices were no longer able to connect to my WiFi network

I'm doing authentication using FreeRadius. FreeRadius still got queried and replied as usual. However, the OpenWrt log indicated a new issue:

Fri May  9 08:37:20 2025 daemon.notice hostapd: No Message-Authenticator attribute found
Fri May  9 08:37:20 2025 daemon.notice hostapd: Incoming RADIUS packet did not have correct authenticator - dropped

Web search did not yield proper results at first. This seems to be poorly documented...

Solution: Add Message-Authenticator attribute

One obviously needs to add a Message-Authenticator attribute to the Radius response. But how? After some digging, the following solution became clear: One needs to just add a Message-Authenticator attribute with an arbitrary value to the Radius accept response. This "wrong" value gets corrected by FreeRadius automatically.

As my FreeRadius server uses a MariaDB database backend, I added the following record for each groupname in the radgroupreply table like this:

 groupname      attribute               op  value   
 profile-guest  Message-Authenticator   =   0

That's it! Simple, once it becomes clear what to do...

Hint towards the solution

The solution is stated in a forum post: "In FreeRADIUS I was able to do this by initializing the Message-Authenticator attribute to all zeroes in all Access-Accept, Access-Challenge and Access-Reject replies in a post-auth clause; the server populates the authenticator with the correct value automatically just before it writes the response to the wire."