Add MessageAuthenticator support

To address RadiusBLAST vulnerability.

Fixes #16

docs/html/manual.html

@@ -183,6 +183,16 @@ sending of RADIUS interim accounting records (in seconds).</p>
 <p>This secret will be used in all RADIUS queries. If this is not set
 then RADIUS queries will fail.</p>
 </dd>
+<dt><code>radius_require_message_authenticator</code> (string)</dt>
+<dd>
+<p>If set to true, RADIUS answers to AccessRequests will have to contain
+a valid MessageAuthenticator. If set to auto (default), if the first
+RADIUS answer to AccessRequests contains a valid MessageAuthenticator,
+subsequent answers will have to contain one. If set to no (not
+recommended), RADIUS answers to AccessRequests do not have to contain a
+valid MessageAuthenticator. It is advised to set this to true after
+checking that your RADIUS server does send MessageAuthenticator.</p>
+</dd>
 <dt><code>radius_authtypes</code> (string)</dt>
 <dd>
 <p>A comma separated list of supported RADIUS authentication methods

docs/manpages/startup-config.5

@@ -1,4 +1,4 @@
-.\" Automatically generated by Pandoc 3.0.1
+.\" Automatically generated by Pandoc 3.1.3
 .\"
 .\" Define V font for inline verbatim, using C font in formats
 .\" that render this, and otherwise B font.
@@ -360,6 +360,18 @@ RADIUS interim accounting records (in seconds).
 This secret will be used in all RADIUS queries.
 If this is not set then RADIUS queries will fail.
 .PP
+\f[B]radius_require_message_authenticator\f[R] (string)
+.PP
+If set to true, RADIUS answers to AccessRequests will have to contain a
+valid MessageAuthenticator.
+If set to auto (default), if the first RADIUS answer to AccessRequests
+contains a valid MessageAuthenticator, subsequent answers will have to
+contain one.
+If set to no (not recommended), RADIUS answers to AccessRequests do not
+have to contain a valid MessageAuthenticator.
+It is advised to set this to true after checking that your RADIUS server
+does send MessageAuthenticator.
+.PP
 \f[B]radius_authtypes\f[R] (string)
 .PP
 A comma separated list of supported RADIUS authentication methods

docs/src/html/manual.md

@@ -203,6 +203,18 @@ should be set by a line like: set configstring \"value\" set ipaddress
 :   This secret will be used in all RADIUS queries. If this is not set
     then RADIUS queries will fail.
 
+`radius_require_message_authenticator` (string)
+
+:   If set to true, RADIUS answers to AccessRequests will have to contain
+    a valid MessageAuthenticator.
+    If set to auto (default), if the first RADIUS answer to AccessRequests
+    contains a valid MessageAuthenticator, subsequent answers will have to
+    contain one.
+    If set to no (not recommended), RADIUS answers to AccessRequests do not have
+    to contain a valid MessageAuthenticator.
+    It is advised to set this to true after checking that your RADIUS server
+    does send MessageAuthenticator.
+
 `radius_authtypes` (string)
 
 :   A comma separated list of supported RADIUS authentication methods

docs/src/man/startup-config.5.md

@@ -215,6 +215,18 @@ The following `variables` may be set:
 
   This secret will be used in all RADIUS queries. If this is not set then RADIUS queries will fail.
 
+**radius\_require\_message\_authenticator** (string)
+
+  If set to true, RADIUS answers to AccessRequests will have to contain
+  a valid MessageAuthenticator.
+  If set to auto (default), if the first RADIUS answer to AccessRequests
+  contains a valid MessageAuthenticator, subsequent answers will have to
+  contain one.
+  If set to no (not recommended), RADIUS answers to AccessRequests do not have
+  to contain a valid MessageAuthenticator.
+  It is advised to set this to true after checking that your RADIUS server
+  does send MessageAuthenticator.
+
 **radius\_authtypes** (string)
 
   A comma separated list of supported RADIUS authentication methods ("pap" or "chap"), in order of preference (default "pap").