Hello all, I am experiencing the following problem when using EAP-TLS and session resumption. When my client tries to authenticate for the 2nd time and FR recognizes that it has a valid session for it, it goes on and adds a cached attribute to the reply (User-Name) thus ending up with two User-Name attributes in my packet reply to NAS. Debug: SSL Connection Established Debug: SSL Application Data Info: [tls] eaptls_process returned 3 Info: [tls] Retrieved session data from cached session Info: [tls] Adding cached attributes to the reply: User-Name = "anonymous@myisp2.com" Info: [eap] Freeing handler Info: ++[eap] returns ok Auth: Login OK: [anonymous@myisp2.com] (from client my_proxy_AAAServer1 port 1 cli 00-1B-2F-29-00-99) Info: # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default Info: +- entering group post-auth {...} Info: ++[exec] returns noop Sending Access-Accept of id 23 to 2001:db95::100 port 1814 User-Name = "anonymous@myisp2.com" User-Name = "anonymous@myisp2.com" MS-MPPE-Recv-Key = 0x40a71fc0b17fd5ce0bee1cfc06ebf8c48a6d37aa710c436a1da4aa3459a22007 MS-MPPE-Send-Key = 0x54ef81d0a961dda08062bb5e9f433a289f3b6628622122b0314a758abacacce2 EAP-Message = 0x03c90004 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x34 How could I check if my reply has two User-Name attributes and remove one? I am guessing that I should add some code in my post-auth.. Thanks a lot in advance, Panos PS. in order for session resumption to work on EAP-TLS I am having an update reply { User-Name = "%{request:User-Name}"} section at the end of my auth stanza of default which explains why it is not surprising to have the first instance of User-Name there when FR decides to add cached attributes... (if I don't have this update reply code SR doesn't work in EAP-TLS)