> You can also put that block into the post-proxy section of the inner-tunnel.  It should do the same thing.

Just tried this, for whatever reason update = noop which I believe means nothing was updated.

(8) # Executing section post-proxy from file /etc/raddb/sites-enabled/inner-tunnel
(8)   post-proxy {
(8)     update {
(8)       &outer.session-state:Proxy-State += &reply:Proxy-State -> 0x3730
(8)       &outer.session-state:Framed-Protocol += &reply:Framed-Protocol -> PPP
(8)       &outer.session-state:Service-Type += &reply:Service-Type -> Framed-User
(8)       &outer.session-state:Class += &reply:Class -> 0x3e5d044100000137000102000a02016700000000000000000000000001d006be3dc74c5b0000000000054507
(8)       &outer.session-state:MS-MPPE-Recv-Key += &reply:MS-MPPE-Recv-Key -> 0x6f6da555aa52c08a69f1d40
(8)       &outer.session-state:MS-MPPE-Send-Key += &reply:MS-MPPE-Send-Key -> 0xd848d864c43408713a143c1
(8)       &outer.session-state:MS-CHAP2-Success += &reply:MS-CHAP2-Success -> 0x85533d433231414331363443343037333931383833433532353546434146453633303
(8)       &outer.session-state:MS-CHAP-Domain += &reply:MS-CHAP-Domain -> '\205MYDOMAIN'
(8)       &outer.session-state:MS-Link-Utilization-Threshold += &reply:MS-Link-Utilization-Threshold -> 50
(8)       &outer.session-state:MS-Link-Drop-Time-Limit += &reply:MS-Link-Drop-Time-Limit -> 120
(8)     } # update = noop
(8) eap: Doing post-proxy callback
(8) eap: Passing reply from proxy back into the tunnel 2.
(8) eap: Proxied authentication succeeded