Thanks. I've included the tls.conf now and as you say it now sets the secret and type dynamically. So I'm now left with the same end issue (it's not using the just added home server to proxy the request out to): ... new connection request on TCP socket Listening on auth+acct from client (209.206.59.19, 49510) -> (*, 2083, virtual-server=default) Waking up in 0.8 seconds. (0) (TLS) Initiating new session (0) (TLS) Handshake state - before SSL initialization (0) (TLS) Handshake state - Server before SSL initialization (0) (TLS) Handshake state - Server before SSL initialization (0) (TLS) recv TLS 1.3 Handshake, ClientHello (0) (TLS) Handshake state - Server SSLv3/TLS read client hello (0) (TLS) send TLS 1.2 Handshake, ServerHello (0) (TLS) Handshake state - Server SSLv3/TLS write server hello (0) (TLS) send TLS 1.2 Handshake, Certificate (0) (TLS) Handshake state - Server SSLv3/TLS write certificate (0) (TLS) send TLS 1.2 Handshake, ServerKeyExchange (0) (TLS) Handshake state - Server SSLv3/TLS write key exchange (0) (TLS) send TLS 1.2 Handshake, ServerHelloDone (0) (TLS) Handshake state - Server SSLv3/TLS write server done (0) (TLS) Server : Need to read more data: SSLv3/TLS write server done (0) (TLS) In Handshake Phase Waking up in 0.7 seconds. (0) (TLS) Handshake state - Server SSLv3/TLS write server done (0) (TLS) recv TLS 1.2 Handshake, ClientKeyExchange (0) (TLS) Handshake state - Server SSLv3/TLS read client key exchange (0) (TLS) Handshake state - Server SSLv3/TLS read change cipher spec (0) (TLS) recv TLS 1.2 Handshake, Finished (0) (TLS) Handshake state - Server SSLv3/TLS read finished (0) (TLS) send TLS 1.2 ChangeCipherSpec (0) (TLS) Handshake state - Server SSLv3/TLS write change cipher spec (0) (TLS) send TLS 1.2 Handshake, Finished (0) (TLS) Handshake state - Server SSLv3/TLS write finished (0) (TLS) Handshake state - SSL negotiation finished successfully (0) (TLS) Connection Established (0) TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES256-GCM-SHA384" (0) TLS-Session-Version = "TLS 1.2" Waking up in 0.7 seconds. (0) (TLS): Access-Request packet from host 209.206.59.19 port 49510, id=15, length=442 Threads: total/active/spare threads = 2/0/2 Thread 2 got semaphore Thread 2 handling request 0, (1 handled so far) (0) Received Access-Request Id 15 from 209.206.59.19:49510 to 0.0.0.0:2083 length 442 (0) User-Name = "anonymous@openroaming.goog" (0) NAS-IP-Address = 192.168.1.15 (0) NAS-Identifier = "xx" (0) Called-Station-Id = "xx" (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) NAS-Port = 1 (0) Calling-Station-Id = "xx" (0) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 13 / Channel: 64" (0) Acct-Session-Id = "37435BC5701BFFFF" (0) Acct-Multi-Session-Id = "01E86F90CB69EC74" (0) WLAN-Pairwise-Cipher = 1027076 (0) WLAN-Group-Cipher = 1027076 (0) WLAN-AKM-Suite = 1027073 (0) Framed-MTU = 1400 (0) EAP-Message = 0x0282001f01616e6f6e796d6f7573406f70656e726f616d696e672e676f6f67 (0) HS20-AP-Version = 1 (0) HS20-Mobile-Device-Version = 0x010000 (0) HS20-Roaming-Consortium = 0x5a03ba0000 (0) Message-Authenticator = 0x9db6eae3f189b5ef4add2b2fafc55f00 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) [chap] = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "openroaming.goog" for User-Name = "anonymous@openroaming.goog" (0) suffix: Found realm "DEFAULT" (0) suffix: Adding Realm = "DEFAULT" (0) suffix: Proxying request from user anonymous@openroaming.goog to realm DEFAULT (0) suffix: Preparing to proxy authentication request to realm "DEFAULT" (0) [suffix] = updated (0) eap: Request is supposed to be proxied to Realm DEFAULT. Not doing EAP. (0) [eap] = noop (0) [pap] = noop (0) } # authorize = updated (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) [preprocess] = ok (0) if (User-Name =~ /@(.*)$/) { (0) if (User-Name =~ /@(.*)$/) -> TRUE (0) if (User-Name =~ /@(.*)$/) { (0) switch %{home_server_dynamic:%{1}} { (0) EXPAND %{home_server_dynamic:%{1}} (0) --> (0) case { (0) update control { (0) Executing: %{config:confdir}/mods-config/realm/freeradius-naptr-to-home-server.sh -d %{config:confdir} %{1} aaa+auth:radius.tls.tcp: (0) EXPAND confdir (0) --> confdir (0) EXPAND %{config:confdir}/mods-config/realm/freeradius-naptr-to-home-server.sh (0) --> /usr/local/etc/raddb/mods-config/realm/freeradius-naptr-to-home-server.sh (0) EXPAND confdir (0) --> confdir (0) EXPAND %{config:confdir} (0) --> /usr/local/etc/raddb (0) EXPAND %{1} (0) --> openroaming.goog Waking up in 0.3 seconds. ... new connection request on command socket Listening on command file /usr/local/var/run/radiusd/radiusd.sock Waking up in 0.1 seconds. radmin> add home_server file /usr/local/etc/raddb/home_servers/openroaming.goog including configuration file /usr/local/etc/raddb/home_servers/openroaming.goog including configuration file /usr/local/etc/raddb/home_servers/tls.conf home_server openroaming.goog { nonblock = no ipaddr = radsec.openroaming.goog IPv4 address [146.148.44.172] port = 2083 type = "auth" proto = "tcp" secret = <<< secret >>> response_window = 30.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 300 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } recv_coa { } } tls { verify_depth = 0 pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/my.key" certificate_file = "/usr/local/etc/raddb/certs/my.crt" ca_file = "/usr/local/etc/raddb/certs/my.ca" private_key_password = <<< secret >>> fragment_size = 1024 include_length = yes check_crl = no ca_path_reload_interval = 0 ecdh_curve = "prime256v1" tls_min_version = "1.2" } (0) Program returned code (0) and output '' (0) &Temp-Home-Server-String := (0) } # update control = noop (0) if ("%{control:Temp-Home-Server-String}" == "" ) { (0) if ("%{control:Temp-Home-Server-String}" == "" ) -> TRUE (0) if ("%{control:Temp-Home-Server-String}" == "" ) { (0) update control { (0) EXPAND %{1} (0) --> openroaming.goog (0) &Home-Server-Name := openroaming.goog (0) } # update control = noop (0) } # if ("%{control:Temp-Home-Server-String}" == "" ) = noop (0) ... skipping else: Preceding "if" was taken (0) } # case = noop (0) } # switch %{home_server_dynamic:%{1}} = noop (0) } # if (User-Name =~ /@(.*)$/) = noop (0) [chap] = noop (0) suffix: Request already has destination realm set. Ignoring (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 130 length 31 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Proxying due to Home-Server-Name (0) There was no response configured: rejecting request (0) Using Post-Auth-Type Reject (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> anonymous@openroaming.goog (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) eap: Request was previously rejected, inserting EAP-Failure (0) eap: Sending EAP Failure (code 4) ID 130 length 4 (0) [eap] = updated (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Login incorrect: [anonymous@openroaming.goog/<via Auth-Type = eap>] (from client all port 1 cli xx via TLS tunnel) (0) Finished internally proxied request. (0) Login incorrect (Home Server says so): [anonymous@openroaming.goog/<no User-Password attribute>] (from client all port 1 cli xx) (0) Using Post-Auth-Type Reject (0) Post-Auth-Type sub-section not found. Ignoring. (0) Login incorrect: [anonymous@openroaming.goog/<no User-Password attribute>] (from client all port 1 cli xx) (0) Sent Access-Reject Id 15 from 0.0.0.0:2083 to 209.206.59.19:49510 length 44 (0) EAP-Message = 0x04820004 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) Finished request with: (0) Proxying due to Home-Server-Name (0) There was no response configured: rejecting request still the problem