Hi,
In order to also return e.g. VLAN IDs (that could be computed from the inner User-Name in a non-session-resumption enabled config), I can move the config that sets the VLAN to the outer tunnel post-auth && ensure the inner tunnel sets: reply:outer User-Name to request:inner User-Name and then key my VLAN computation (in outer post-auth) from reply:User-Name.
I can see other possibilities to do this (e.g. cache Tunnel-Private-Group-Id in the TLS session cache), but the above seems ok to me. Can anyone on the list spot any problems, something that I've missed / gotchas with the above?
this is a fine idea - you only need to hit the handling logic post-auth (after the basic accept/reject has been done). just ensure that you dont pass this inner-id stuff back to remote proxies. alan