Hello, I want to send CoA over existing TLS connection that is established with client before. But, I am getting error as below. Is there anyone who can help me ? I also added my configurations below. *clients.conf* client 10.10.10.10 { ipaddr = 10.10.10.10 proto = tcp secret = testing123 } *tls.conf* listen { ipaddr = * port = 2083 type = auth+acct proto = tcp virtual_server = default limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } tls { private_key_password = whatever private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem ca_file = ${cadir}/ca.pem dh_file = ${certdir}/dh fragment_size = 8192 ca_path = ${cadir} ca_path_reload_interval = 3600 cipher_list = "DEFAULT" cipher_server_preference = no tls_min_version = "1.2" tls_max_version = "1.3" cache { enable = no lifetime = 24 # hours } require_client_cert = no verify { } } } *default.conf* server default { authorize { if (&User-Name == "bob") { update coa { &User-Name = "%{User-Name}" &Calling-Station-Id = "%{Calling-Station-Id}" &NAS-IP-Address = "10.10.10.10" } } filter_username preprocess chap mschap digest suffix eap { ok = return } files -sql -ldap expiration logintime pap Autz-Type New-TLS-Connection { ok } } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } mschap digest eap } preacct { preprocess acct_unique suffix files } accounting { detail unix -sql exec attr_filter.accounting_response } session { } post-auth { if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { update reply { &User-Name !* ANY } } update { &reply: += &session-state: } -sql exec remove_reply_message_if_eap Post-Auth-Type REJECT { -sql attr_filter.access_reject eap remove_reply_message_if_eap } Post-Auth-Type Challenge { } if (EAP-Key-Name && &reply:EAP-Session-Id) { update reply { &EAP-Key-Name := &reply:EAP-Session-Id } } } pre-proxy { } post-proxy { eap } } *ERROR* Listening on auth+acct proto tcp address * port 2083 (TLS) bound to server default Ready to process requests ... new connection request on TCP socket Listening on auth+acct from client (10.10.10.10, 42673) -> (*, 2083, virtual-server=default) Waking up in 0.3 seconds. (0) (TLS) recv TLS 1.3 Handshake, Finished (0) tls_recv: Access-Request packet from host 10.10.10.10 port 42673, id=0, length=69 Threads: total/active/spare threads = 5/0/5 Thread 5 got semaphore Thread 5 handling request 0, (1 handled so far) (0) Received Access-Request Id 0 from 10.10.10.10:42673 to 0.0.0.0:2083 length 69 (0) NAS-IP-Address = 1.1.1.1 (0) Calling-Station-Id = "00010305AABB" (0) Framed-IP-Address = 192.168.1.1 (0) User-Name = "bob" (0) User-Password = "hello" (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) if (&User-Name == "bob") { (0) if (&User-Name == "bob") -> TRUE (0) if (&User-Name == "bob") { (0) update coa { (0) EXPAND %{User-Name} (0) --> bob (0) &User-Name = bob (0) EXPAND %{Calling-Station-Id} (0) --> 00010305AABB (0) &Calling-Station-Id = 00010305AABB (0) &NAS-IP-Address = 10.10.10.10 (0) } # update coa = noop (0) } # if (&User-Name == "bob") = noop (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = noop (0) } # policy filter_username = noop (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "bob", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry bob at line 87 (0) files: EXPAND Hello, %{User-Name} (0) files: --> Hello, bob (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) [pap] = updated (0) } # authorize = updated (0) Found Auth-Type = PAP (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) Auth-Type PAP { (0) pap: Login attempt with password (0) pap: Comparing with "known good" Cleartext-Password (0) pap: User authenticated successfully (0) [pap] = ok (0) } # Auth-Type PAP = ok (0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (0) post-auth { (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (0) update { (0) No attributes updated for RHS &session-state: (0) } # update = noop (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) if (EAP-Key-Name && &reply:EAP-Session-Id) { (0) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE (0) } # post-auth = noop (0) WARNING: Unknown destination 10.10.10.10:3799 for CoA request. (0) Sent Access-Accept Id 0 from 0.0.0.0:2083 to 10.10.10.10:42673 length 0 (0) Reply-Message = "Hello, bob" (0) (TLS) send TLS 1.3 Handshake, Finished (0) Finished request