Hi All, When a client does session resumption: cache { enable = yes} in eap.conf The session User-Name (from previous access-accept) is restored from the cache e.g: [ttls] Skipping Phase2 due to session resumption [ttls] Adding cached attributes to the reply: User-Name = "ab1234" In order to also return e.g. VLAN IDs (that could be computed from the inner User-Name in a non-session-resumption enabled config), I can move the config that sets the VLAN to the outer tunnel post-auth && ensure the inner tunnel sets: reply:outer User-Name to request:inner User-Name and then key my VLAN computation (in outer post-auth) from reply:User-Name. I can see other possibilities to do this (e.g. cache Tunnel-Private-Group-Id in the TLS session cache), but the above seems ok to me. Can anyone on the list spot any problems, something that I've missed / gotchas with the above? Many thanks, James