Hello guys, In the last version freeradius (3.0.7), some attributes are not visible inside the inner-tunnel, like as Tunnel-Private-Group-ID, this attribute have de VLAN ID from client. Before I was using freeradius version 3.0.1 and always work fine, in 3.0.7 version this attribute is visible in default server, but it not is copied to inner-tunnel. In EAP configuration session, when I upgrade from 3.0.1 to 3.0.7, I changed the configs to: in eap module: use_tunneled_reply = no And uncomment in inner-tunnel post-auth from: update { &outer.session-state: += &reply: } and update outer.session-state { MS-MPPE-Encryption-Policy !* ANY MS-MPPE-Encryption-Types !* ANY MS-MPPE-Send-Key !* ANY MS-MPPE-Recv-Key !* ANY Message-Authenticator !* ANY EAP-Message !* ANY Proxy-State !* ANY } In accord with documentation, this replace use_tunneled_reply = yes in 3.0.5 version In debug below we can see the missing attribute Tunnel-Private-Group-ID in EAP check, this produce de error: “ERROR: Failed retrieving values required to evaluate condition” (8) server inner-tunnel { (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (8) authorize { (8) if (User-Name !~ /@/){ (8) if (User-Name !~ /@/) -> TRUE (8) if (User-Name !~ /@/) { (8) update request { (8) Realm := 'pti' (8) } # update request = noop (8) } # if (User-Name !~ /@/) = noop (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) suffix: Request already has destination realm set. Ignoring (8) [suffix] = noop (8) update control { (8) &Proxy-To-Realm := 'LOCAL' (8) } # update control = noop (8) eap: Peer sent code Response (2) ID 10 length 66 (8) eap: No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) [files] = noop *(8) if (Tunnel-Private-Group-ID == "5"){(8) ERROR: Failed retrieving values required to evaluate condition(8) if (Tunnel-Private-Group-ID == "81"){(8) ERROR: Failed retrieving values required to evaluate condition(8) if (Tunnel-Private-Group-ID == "62"){(8) ERROR: Failed retrieving values required to evaluate condition* (8) [expiration] = noop (8) [logintime] = noop (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = EAP (8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Expiring EAP session with state 0xdf2cb347df26a950 (8) eap: Finished EAP session with state 0xdf2cb347df26a950 (8) eap: Previous EAP request found for state 0xdf2cb347df26a950, released from the list (8) eap: Peer sent method MSCHAPv2 (26) (8) eap: EAP MSCHAPv2 (26) (8) eap: Calling eap_mschapv2 to process EAP data (8) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (8) eap_mschapv2: Auth-Type MS-CHAP { (8) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (8) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (8) mschap: Creating challenge hash with username: 0013006 (8) mschap: Client is using MS-CHAPv2 (8) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication (8) mschap: ERROR: MS-CHAP2-Response is incorrect (8) [mschap] = reject (8) } # Auth-Type MS-CHAP = reject (8) eap: Freeing handler (8) [eap] = reject (8) } # authenticate = reject (8) Failed to authenticate the user (8) Login incorrect (Failed retrieving values required to evaluate condition): [0013006] (from client controladora-wlan-1 port 4 cli e0-f8-47-30-8d-82 via TLS tunnel) (8) Using Post-Auth-Type Reject (8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (8) Post-Auth-Type REJECT { (8) if ( Realm == "vst" ) { (8) if ( Realm == "vst" ) -> FALSE (8) if ( Realm == "srv" ) { (8) if ( Realm == "srv" ) -> FALSE Thanks for help -- João Paulo de Lima Barbosa "Para chegar aonde a maioria não chega, você precisa fazer o que a maioria não faz."