Hi Alan, I meant what RFC 3580 says here. Instructing a NAS to re-authenticate via a Termination-Action AVP of RADIUS-Request and a Session-Timeout AVP being supplied in the Access-Accept. That is entirely decoupled to EAP session resumption. It is in this case that NASes are observed not sending a Stop and a Start, which I believe is semantically correct. 3.17. Session-Timeout When sent along in an Access-Accept without a Termination-Action attribute or with a Termination-Action attribute set to Default, the Session-Timeout attribute specifies the maximum number of seconds of service provided prior to session termination. When sent in an Access-Accept along with a Termination-Action value of RADIUS-Request, the Session-Timeout attribute specifies the maximum number of seconds of service provided prior to re- authentication. In this case, the Session-Timeout attribute is used to load the reAuthPeriod constant within the Reauthentication Timer state machine of 802.1X. When sent with a Termination-Action value of RADIUS-Request, a Session-Timeout value of zero indicates the desire to perform another authentication (possibly of a different type) immediately after the first authentication has successfully completed. When sent in an Access-Challenge, this attribute represents the maximum number of seconds that an IEEE 802.1X Authenticator should wait for an EAP-Response before retransmitting. In this case, the Session-Timeout attribute is used to load the suppTimeout constant within the backend state machine of IEEE 802.1X. 3.19. Termination-Action This attribute indicates what action should be taken when the service is completed. The value RADIUS-Request (1) indicates that re- authentication should occur on expiration of the Session-Time. The value Default (0) indicates that the session should terminate.