Share via

Windows Server 2019 Event ID 17 - An Access-Request message was received from RADIUS client 192.168.xxx.xxx without a Message-Authenticator attribute when a Message-Authenticator attribute is required.

Sonny B 141 Reputation points
2025-05-06T20:46:13.6133333+00:00

Hi Everyone,

While setting up our Radius server to be used as an authenticator for verifying VPN access, we got this error, "An Access-Request message was received from RADIUS client 192.168.254.254 without a Message-Authenticator attribute when a Message-Authenticator attribute is required. Verify the configuration of the RADIUS client in the Network Policy Server snap-in (the "Client must always send the Message-Authenticator attribute in the request" checkbox) and the configuration of the network access server."

Screen Shot 2025-05-06 at 1.09.46 PM

The thing is, when we go to Network Policy Server > RADIUS Clients and Servers > Radius Clients > Radius Client > Radius Client Properties > Advanced, "Access-Request message must contain the Message-Authenticator attribute" is already enabled with a checkmark.

We're following Cisco's procedure for setting up a 2FA using Duo and a RADIUS server from this link below and this is what we've run into.

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Configuring_Active_Directory_with_MX_Security_Appliances

Any assistance is greatly appreciated.

Thank you very much,

Sonny B

Windows for business | Windows Server | User experience | Other
0 comments
Accepted answer
  1. Joseph Tran 770 Reputation points Independent Advisor
    2025-05-11T14:06:13.4266667+00:00

    You need to disable the checkbox "Access-Request message must contain the Message-Authenticator attribute" for that RADIUS client in NPS.

    Because the Meraki MX (per Cisco/Meraki documentation) does not include the Message-Authenticator attribute in its RADIUS requests. If NPS requires it, you'll get this exact error.

    Even if you're using Duo as the 2FA middleware between Meraki and NPS, Duo only proxies the RADIUS requests, and it can’t inject the Message-Authenticator header into a message that never had it to begin with.

    Get access to your NPS server then flow these steps bellow:

    • Open Network Policy Server.
    • Go to RADIUS Clients and Servers > RADIUS Clients.
    • Right-click the RADIUS Client (your Meraki device).
    • Choose Properties > Advanced tab.
    • Uncheck "Access-Request messages must contain the Message-Authenticator attribute".
    • Click OK and restart the NPS service (optional but recommended).
    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sonny B 141 Reputation points
    2025-05-12T21:38:31.3233333+00:00

    Hi Joseph,

    Wow! Thank you very much.

    Now, I'm getting an Event 6273 Reason 16 Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

    So I'll create a new post for this new error then.

    Thank you very much,

    Sonny B

    0 comments
  2. Joseph Tran 770 Reputation points Independent Advisor
    2025-05-13T01:36:34.4066667+00:00

    Hi, so did you fix it with my solution yet ? And does the Windows Server working fine by now ?

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.