FortiAuthenticator RADIUS message-authenticator fun

Preface: we have an MSP managing our Fortinet devices, they're a Fortinet partner. I'm mostly exposed to Fortinet through integrations and am by no means an expert.

We have a site using SSL VPN via a Fortigate firewall connected to load balanced FortiAuthenticator VMs for auth using RADIUS (FortiAuthenticator = RADIUS server, Fortigate = RADIUS client).

Firewalls get upgraded to v7.2.10 with one of the drivers for the upgrade being CVE-2024-3596 blast RADIUS vulnerability. MSP forgets to upgrade FortiAuthenticator to v6.6.2, VPN breaks, I get called to look into the issue. For some reason MSP thought RADIUS server was our NPS.

Anyways, I find this nice article specifically for troubleshooting RADIUS after upgrading to v7.2.10. Figure out that the Fortigate is using the FortiAuthenticator for RADIUS, upgrade the FortiAuthenticator servers, and the VPN starts working again... Except I haven't enabled the "Require client to send message-authenticator attribute" setting on the FortiAuthenticators yet! So I enable that setting and VPN breaks!

Wth is going on? I haven't looked yet to make sure the FortiAuthenticator is sending the message-authenticator attribute in the response yet, but I'm assuming it has to be since it was broken before upgrading. Has anyone else seen this (bug) where the setting isn't enabled in the GUI, but it's still being sent and enabling the setting causes RADIUS to fail?