Hi Enrique,
Can you show us what the inner-tunnel post-auth section looks like? By trimming down the debug output, we've lost that.
If your inner-tunnel post-auth just uses "update reply {", then you may with to update it with "update outer.reply {", which should feed the attribute back.
Stefan
Hi Stefan, I only added to postauth in inner-tunnel server configuration what I had in authorize in default server: foreach &control:LDAP-Group { update reply { &Ruckus-User-Groups += "%{Foreach-Variable-0}" } } Now I changed it into update outer.reply and, instead of the attribute being added to the tunneled reply to the default server, it was added to the Access-Challenge that the default server sent to the client. Then, the client sends one last Access-Request and the server sends Access-Accept without the attribute. I am guessing that this last reply was done only by the default server, so the inner-tunnel didn't get to add anything. But if that's so, how can I add the attribute in the default server without querying LDAP on every packet that the server sends to set up the TLS conversation? Thanks again!