From: Alan T. DeKok <aland@freeradius.org>
Date: Wed, 25 Jun 2025 22:29:05 +0000 (-0400)
Subject: print out more information about require_message_authenticator
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=78d5b733f71a0fb740ea4ed35b6a3afff52fc041;p=thirdparty%2Ffreeradius-server.git

print out more information about require_message_authenticator
---

diff --git a/src/modules/rlm_radius/bio.c b/src/modules/rlm_radius/bio.c
index 9b2570022e4..7e8ff7cc415 100644
--- a/src/modules/rlm_radius/bio.c
+++ b/src/modules/rlm_radius/bio.c
@@ -667,12 +667,26 @@ static fr_bio_verify_action_t rlm_radius_verify(UNUSED fr_bio_t *bio, void *veri
 
 	/*
 	 *	See if we need to discard the packet.
+	 *
+	 *	@todo - rate limit these messages, and find a way to associate them with a request, or even
+	 *	the logging destination of the module.
 	 */
-	if (!fr_radius_ok(data, size, h->ctx.inst->max_attributes, REQUIRE_MA(h), &failure)) {
+	if (!fr_radius_ok(data, size, h->ctx.inst->max_attributes, REQUIRE_MA(h), &failure)) {		
 		if (failure == DECODE_FAIL_UNKNOWN_PACKET_CODE) return FR_BIO_VERIFY_DISCARD;
 
 		PERROR("%s - Connection %s received bad packet", h->ctx.module_name, h->ctx.fd_info->name);
 
+		if (failure == DECODE_FAIL_MA_MISSING) {
+			if (h->ctx.inst->require_message_authenticator == FR_RADIUS_REQUIRE_MA_YES) {
+				ERROR("We are configured with 'require_message_authenticator = true'");
+			} else {
+				ERROR("We previously received a packet from this client which included a Message-Authenticator attribute");
+			}
+
+			if (h->ctx.fd_config.socket_type == SOCK_DGRAM) return FR_BIO_VERIFY_DISCARD;
+
+		}
+
 		return FR_BIO_VERIFY_ERROR_CLOSE;
 	}