secret = testing123
#
- # Old-style clients do not send a Message-Authenticator
- # in an Access-Request. RFC 5080 suggests that all clients
- # SHOULD include it in an Access-Request. The configuration
- # item below allows the server to require it. If a client
- # is required to include a Message-Authenticator and it does
- # not, then the packet will be silently discarded.
+ # The global configuration "security.require_message_authenticator"
+ # flag sets the default for all clients. That default can be
+ # over-ridden here, by setting it to "no".
+ #
+ # This flag exists solely for legacy clients which do not send
+ # Message-Authenticator in all Access-Request packets. We do not
+ # recommend setting it to "no".
#
# allowed values: yes, no
- require_message_authenticator = no
+ #
+# require_message_authenticator = no
#
# The short name is used as an alias for the fully qualified
{ "src_ipaddr", FR_CONF_POINTER(PW_TYPE_STRING, &cl_srcipaddr), NULL },
- { "require_message_authenticator", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, RADCLIENT, require_ma), "no" },
+ { "require_message_authenticator", FR_CONF_OFFSET(PW_TYPE_BOOLEAN | PW_TYPE_IGNORE_DEFAULT, RADCLIENT, require_ma), NULL },
{ "secret", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_SECRET, RADCLIENT, secret), NULL },
{ "shortname", FR_CONF_OFFSET(PW_TYPE_STRING, RADCLIENT, shortname), NULL },
c = talloc_zero(ctx, RADCLIENT);
c->cs = cs;
+ /*
+ * Set the "require message authenticator" flag from the
+ * global default. If the configuration item exists, AND
+ * is set, it will over-ride this flag.
+ */
+ c->require_ma = main_config.require_ma;
+
memset(&cl_ipaddr, 0, sizeof(cl_ipaddr));
cl_netmask = 255;
projects / thirdparty / freeradius-server.git / commitdiff
