BlastRadius mitigations causing multiple events when 'requiremsgauth' flag is set for Remote Servers

[andrew-fitzgerald]

Event Code 4420
EVENT: The RADIUS Proxy received a response from server 127.0.0.1 with a missing Message-Authenticator attribute. Response is currently allowed since the requireMsgAuth is configured in Audit mode. See https://support.microsoft.com/help/5040268 to learn more.
EVENT DESCRIPTION:
This is an Audit event for RADIUS response packets received without the Message-Authenticator attribute at the proxy. Consider changing the specified RADIUS server for the Message-Authenticator attribute. The RADIUS packet will be dropped once the requiremsgauth configuration is enabled.

The above event fires when the PAN-RA proxy RADIUS Remote Server has the attribute 'requiremsgauth' enabled

Workaround includes adding the PANRRA proxy from Remote Servers to the exception list which will stop the events from firing.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.

[ryannewington]

I'm not sure what is going on here.

The Message-Authenticator attribute only applies to Access-* packets, not Accounting-* packets.

RAN RA Proxy only processes and responsds to Accounting packets.

I'm wondering if MS has a bug in their logging. Does it actual fail if you move it to enforcement mode?