You can also put that block into the post-proxy section of the inner-tunnel. It should do the same thing.
Just tried this, for whatever reason update = noop which I believe means nothing was updated. (8) # Executing section post-proxy from file /etc/raddb/sites-enabled/inner-tunnel (8) post-proxy { (8) update { (8) &outer.session-state:Proxy-State += &reply:Proxy-State -> 0x3730 (8) &outer.session-state:Framed-Protocol += &reply:Framed-Protocol -> PPP (8) &outer.session-state:Service-Type += &reply:Service-Type -> Framed-User (8) &outer.session-state:Class += &reply:Class -> 0x3e5d044100000137000102000a02016700000000000000000000000001d006be3dc74c5b0000000000054507 (8) &outer.session-state:MS-MPPE-Recv-Key += &reply:MS-MPPE-Recv-Key -> 0x6f6da555aa52c08a69f1d40 (8) &outer.session-state:MS-MPPE-Send-Key += &reply:MS-MPPE-Send-Key -> 0xd848d864c43408713a143c1 (8) &outer.session-state:MS-CHAP2-Success += &reply:MS-CHAP2-Success -> 0x85533d433231414331363443343037333931383833433532353546434146453633303 (8) &outer.session-state:MS-CHAP-Domain += &reply:MS-CHAP-Domain -> '\205MYDOMAIN' (8) &outer.session-state:MS-Link-Utilization-Threshold += &reply:MS-Link-Utilization-Threshold -> 50 (8) &outer.session-state:MS-Link-Drop-Time-Limit += &reply:MS-Link-Drop-Time-Limit -> 120 (8) } # update = noop (8) eap: Doing post-proxy callback (8) eap: Passing reply from proxy back into the tunnel 2. (8) eap: Proxied authentication succeeded