The last reply was accidentally sent directly to your email. Here again for the mailing list:
You've added the attributes in the inner-tunnel, but you haven't told the server to send them to the client. You need to copy the inner tunnel attributes to the outer tunnel. See sites-available/inner-tunnel: Then also see sites-available/default: this comment applies to EAP-PWD, too. Follow the instructions there. Alan DeKok.
Thank you for your help. I have already done this so far. Or have I overlooked something? Here is my configuration: sites-enabled/default: ################################ server default { listen { type = auth ipaddr = * port = 0 limit { max_connections = 0 lifetime = 0 idle_timeout = 30 } } listen { ipaddr = * port = 0 type = acct limit { } } authorize { filter_username preprocess suffix rewrite_calling_station_id eap { ok = return updated = return } -sql logintime } authenticate { eap } preacct { preprocess acct_unique suffix } accounting { detail -sql exec attr_filter.accounting_response } session { } post-auth { update { &reply: += &session-state: } -sql exec Post-Auth-Type REJECT { -sql attr_filter.access_reject eap remove_reply_message_if_eap } Post-Auth-Type Challenge { } } pre-proxy { } post-proxy { eap } } ################################ sites-enabled/inner-tunnel: ################################ server default { listen { type = auth ipaddr = * port = 0 limit { max_connections = 0 lifetime = 0 idle_timeout = 30 } } listen { ipaddr = * port = 0 type = acct limit { } } authorize { filter_username preprocess suffix rewrite_calling_station_id eap { ok = return updated = return } -sql logintime } authenticate { eap } preacct { preprocess acct_unique suffix } accounting { detail -sql exec attr_filter.accounting_response } session { } post-auth { update { &reply: += &session-state: } -sql exec Post-Auth-Type REJECT { -sql attr_filter.access_reject eap remove_reply_message_if_eap } Post-Auth-Type Challenge { } } pre-proxy { } post-proxy { eap } } ################################