hi, during recent testing/validation of authentication methods on our server we found a problem with EAP-TTLS/EAP-MSCHAPv2 basically, after looking at the packets to see whats wrong or where things went wrong we found the following to be the case, the inner-tunnel calls the EAP-MSCHAPv2 method which itself is an EAP method.. the end result is two sets of some MS-MMPE keys MS-MPPE-Send-Key MS-MPPE-Recv-Key these get duplicated.... our current 'fix' is to just reset these in the post-auth section of the inner-tunnel so that only the last ones are created/dealt with - so far, that works for clients but its a little ugly and shouldnt be needed. post-auth { # # Remove the Double Sets of Keys when using ttls eap in eap # update reply { MS-MPPE-Send-Key !* 0x00 MS-MPPE-Recv-Key !* 0x00 } } can anyone else validate this behaviour (in case its resulting from something we've done)? alan