From: Alan T. DeKok <aland@freeradius.org>
Date: Thu, 26 Dec 2024 14:02:38 +0000 (-0500)
Subject: don't complain about limit_proxy_state if we have Message-Authenticator
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4622fdf1979246471d24796348ac39592eb14a14;p=thirdparty%2Ffreeradius-server.git

don't complain about limit_proxy_state if we have Message-Authenticator

if we set "require_message_authenticator = yes", then we don't need
to set (or complain about) limit_proxy_state
---

diff --git a/src/listen/radius/proto_radius.c b/src/listen/radius/proto_radius.c
index a8111b5bde7..d31993f1e16 100644
--- a/src/listen/radius/proto_radius.c
+++ b/src/listen/radius/proto_radius.c
@@ -299,8 +299,10 @@ static int mod_decode(void const *instance, request_t *request, uint8_t *const d
 		 *	server is low. That said, 'auto' should likely
 		 * 	not be enabled for internet facing servers.
 		 */
-		if ((limit_proxy_state == FR_RADIUS_LIMIT_PROXY_STATE_AUTO) && client->active && !client->seen_first_packet) {
-		    	client->seen_first_packet = true;
+		if (!client->received_message_authenticator &&
+		    (limit_proxy_state == FR_RADIUS_LIMIT_PROXY_STATE_AUTO) &&
+		    client->active && !client->seen_first_packet) {
+			client->seen_first_packet = true;
 			client->first_packet_no_proxy_state = fr_pair_find_by_da(&request->request_pairs, NULL, attr_proxy_state) == NULL;
 
 			RINFO("First packet from %pV (%pV) %s Proxy-State.  Setting \"limit_proxy_state = %s\"",