Hello, I've configured a FreeRADIUS 3.2.7 system to run PEAP/MSCHAPv2. I would like to have Inner-Identity and Outer-Identity displayed in the logs. - in mods-enabled/eap, I have: tls-config tls-common { ... cache { enable=yes lifetime = 24 name = "EAP-EDU module" persist_dir = "${db_dir}/tlscache" } } peap { ... copy_request_to_tunnel = no } - in sites-enabled/inner-tunnel, I put: post-auth { update outer.session-state { Tmp-String-0 := &User-Name } ... } or this alternative configuration : post-auth { if (1) { update reply { Tmp-String-0 := &User-Name } update { &outer.session-state: += &reply: } } ... } as it says in the comments of the mods-enabled/eap file "If you need to send a reply attribute in the outer session, the ONLY safe way is to set "use_tunneled_reply = yes", and then update the inner-tunnel reply." - in sites-enabled/default post-auth { inner_outer } with inner_outer defined in mods-enabled/linelog file : linelog inner_outer { destination = files filename = ${logdir}/inner_outer.log format = "Packet-Type=%{%{reply:Packet-Type}:-default} Outer-User=%{User-Name} Inner-User=%{%{session-state:Tmp-String-0}:-unknown}" } The problem is that sometimes I get Packet-Type=Access-Accept Outer-User=anonymous@xxxx.fr Inner-User=unknown I don't understand why. Is it true that the session state may not be restored correctly to the last outer packet in certain cases such as: - TLS session resumption - specific fragmentation - specific timing - Windows fast reconnect Is this an architectural limitation in version 3.x? The only truly reliable method I've found is to log the inner identity in `inner-tunnel` and the outer identity in `default`, and to correlate via Calling-Station-Id + Event-Timestamp Is this the only method ? If possible, I would also like to be able to construct `reply.User-Name=sam@toto.fr` from `request.User-Name=anonymous@toto.fr` + `inner.User-Name=sam` Could you please help me? Best regards, -- Samuel