Hi, I'm in a PEAP setup and trying to match the SSID as part of the group_checks. This is an example request coming in : (17) Received Access-Request Id 59 from 192.168.10.237:1645 to 192.168.10.1:1812 length 201 (17) User-Name = "test_pwd_1" (17) Framed-MTU = 1400 (17) Called-Station-Id = "0000.0000.0000" (17) Calling-Station-Id = "0000.0000.0000" (17) Cisco-AVPair = "ssid=TestMain" (17) Service-Type = Login-User (17) Message-Authenticator = XXX (17) EAP-Message = XXX (17) NAS-Port-Type = Wireless-802.11 (17) NAS-Port = 542 (17) NAS-Port-Id = "542" (17) State = XXX (17) NAS-IP-Address = 192.168.10.237 As you can see, there is the ssid the user tries to connect to that's included as an Cisco-AVPair and I wanted to be able to match on it Unfortunately it turns out the this attribute is apparently not copied from the outer request to the inner one, despite copy_request_to_tunnel being set to true. I tried parsing it in the default authorize {} using : if (Cisco-AVPair[*] =~ /ssid=(.*)/i) { update request { Called-Station-SSID := "%{1}" } } Hoping that Called-Station-SSID would then be copied. However it's not copied either. Finally I tried adding this in the inner-tunnel authorize {} if (&outer.request:Called-Station-SSID) { update request { &Called-Station-SSID := &outer.request:Called-Station-SSID } } And this indeed seems to work and I can match on it. However I have a couple questions : - Why wasn't the Cisco-AVPair and/or the Called-Station-SSID attributes copied ? Other attrs like Service-Type / Called-Station-Id / ... all are copied properly. - Does it look like the right thing to do ? Cheers, Sylvain Munaut