NPS Message-Authenticator Attribute

Applies To: Windows Server 2008, Windows Server 2008 R2

When you add one or more Remote Authentication Dial-In User Service (RADIUS) clients in the NPS Microsoft Management Console (MMC) snap-in, you configure the IP address of one RADIUS client or, if you are using Windows Server 2008 Enterprise or Windows Server 2008 Datacenter, you configure multiple RADIUS clients using an IP address range. If an incoming RADIUS Access-Request message does not originate from an IP address of a configured RADIUS client, Network Policy Server (NPS) automatically discards the message, providing protection for a server running NPS. However, source IP addresses can be spoofed (substituted with other IP addresses) by malicious users.

To provide protection from spoofed Access-Request messages and RADIUS message tampering, each RADIUS message can be additionally protected with the RADIUS Message-Authenticator attribute, which is described in RFC 2869, “RADIUS Extensions.”

Key facts about the Message-Authenticator attribute:

  • The RADIUS Message-Authenticator attribute is a Message Digest 5 (MD5) hash of the entire RADIUS message.

  • The shared secret configured on the NPS server and the RADIUS client is used as the key.

  • If the RADIUS Message-Authenticator attribute is present, it is verified by NPS. If the Access-Request message fails verification, the message is discarded by the NPS server.

  • If the RADIUS client settings require the Message-Authenticator attribute and it is not present, the RADIUS message is discarded.


With NPS in Windows Server 2008, all Extensible Authentication Protocol (EAP) and Protected Extensible Authentication Protocol (PEAP) authentication methods use the Message-Authenticator attribute by default.

For more information, see Incoming RADIUS Message Validation and NPS Shared Secrets.