Hi! I am sorry for the strange subject but I can't find a shorter description that still makes some sense. First: I got this working already in the way I need it but I want to solicit a maybe more elegant or better solution I may have not seen. Second: This is for 3.0.21. Third: This needs a bit of explanation up front before I come to my question, please bear with me. What am I doing: I have the usual default/inner-tunnel setup needed for Wifi+EAP in Eduroam and this all works fine, no problems here. And I use the "update { &reply: += &session-state: }" method to copy specific attributes from the inner-tunnel into the outer one, most important those to steer the VLAN assignment. This also works nice. Now here is the wrinkle: To aid the internal accounting I also need to provide the internal APs and Controllers with the inner-User-Name but not in requests leaving via the federation servers to Eduroam. Until recently I had a setup like this: # inner-tunnel vhost post-auth { [...] update reply { Message-Authenticator !* ANY EAP-Message !* ANY Proxy-State !* ANY MS-MPPE-Encryption-Types !* ANY MS-MPPE-Encryption-Policy !* ANY MS-MPPE-Send-Key !* ANY MS-MPPE-Recv-Key !* ANY User-Name !* ANY } # If internal Wifi system, readd User-Name if ("%{client:thmtype}" =~ /^aruba-wlan-/) { update reply { &User-Name := &User-Name } } [...] } # /inner-tunnel vhost "thmtype" is an additional key I add via client.conf for internal systems needing this. This also works fine. But this creates reply packages with _two_ User-Name attributes in Access-Accept, because the "copy from session state" adds the internal Username to the reply. But this worked for our Aruba IAPs with Virtual Controller, our Wifi guys saw the real username in their logs and in the accounting database. Now we upgraded to Aruba Mobility Controller and they choke on the duplicate User-Name attribute in the Access-Accept, the device never gets fully authenticated though the controller clearly receives the Access-Accept. To avoid that problem, I now also changed the default VHost to this: # default vhost post-auth { [...] # Overwrite User-Name in Reply with inner-tunnel # and remove from session-state to avoid duplication if ("%{client:thmtype}" =~ /^aruba-wlan-/) { update { &reply:User-Name := &session-state:User-Name &session-state:User-Name !* ANY } } # Add rest of inner-tunnel attributes to reply update { &reply: += &session-state: } [...] } # /default vhost This works fine, but after all those many words, the question: Is there a more elegant or simpler way to achieve this I didn't see? Grüße, Sven.