From 09e3301c8fae277adaa736ce700aa0010947af23 Mon Sep 17 00:00:00 2001
From: "Jens L." <jens@goauthentik.io>
Date: Sat, 1 Nov 2025 17:58:48 +0100
Subject: [PATCH] providers/radius: fix inverted message authenticator
 validation (#17855)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 internal/outpost/radius/request.go | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/internal/outpost/radius/request.go b/internal/outpost/radius/request.go
index 962c929832..7c64af91bb 100644
--- a/internal/outpost/radius/request.go
+++ b/internal/outpost/radius/request.go
@@ -1,7 +1,6 @@
 package radius
 
 import (
-	"bytes"
 	"crypto/hmac"
 	"crypto/md5"
 	"errors"
@@ -46,7 +45,7 @@ func (r *RadiusRequest) validateMessageAuthenticator() error {
 		return err
 	}
 	hash.Write(encode)
-	if bytes.Equal(mauth, hash.Sum(nil)) {
+	if !hmac.Equal(mauth, hash.Sum(nil)) {
 		return ErrInvalidMessageAuthenticator
 	}
 	return nil