Hi list, I'm working on setting up FreeRad logging and I'm stuck on how to capture the EAP inner identity when an authentication fails. * I can capture auth requests coming in (in authorize section of outer site) * I can capture auth successes and failures (in outer site:post-auth) * I can capture successful auths in the EAP:TLS inner site But - when an EAP-TLS auth fails (eg on cert expired, not trusted, revoked) then it appears that the inner site is not called at all. I've put relevant log lines in TLS-inner:post-auth (and authenticate and authorize) but it appears that none of these are called. Any idea how I can access the inner username (in the case of TLS I'm after the SAN UPN of the client certificate) in a failed auth attempt? Thanks, Jim Potter Jisc Config snippets FWIW: server home { authorize { log_auth_req eap } post-auth { log_auth_accept Post-Auth-Type REJECT { log_auth_reject } } } eap { tls { virtual_server = eap-inner } } server eap-inner { authorize { log_inner } authenticate { log_inner } post-auth { log_inner Post-Auth-Type REJECT { log_inner } } }