The server has historically had problems dealing with authentication conversations that cross multiple packets. The existing "use_tunnel_reply" feature in TTLS and PEAP help, but aren't perfect. The behavior is not clear, and it's easy to get the configuration wrong. Version 3.0.5 fixes this problem. You can now do: authorize { ... update session-state { attributes ... } } These attributes are automatically cached when the server sends an Access-Challenge. They are automatically retrieved when the server receives an Access-Request. They are automatically deleted when the server sends an Access-Accept or Access-Reject. This means that the "inner-tunnel" server can now do: update outer.session-state { ... } And the final Access-Accept can be updated by the following code: post-auth { ... update { reply += session-state } } This feature should hopefully be simpler (and better) than the previous configurations. The code is available now in the v3.0.x branch in git. Please try it before 3.0.5 is released! Alan DeKok.