How to bypass some logic during EAP-TLS auth?

[Alexey D. Filimonov]

Currently I have several if()s in authorize{} before eap and I think I 
can not move it past EAP call

But during EAP authentication I see this logic gets executed 8(!) times 
in -X debug session.

Can I wrap those if()s into some rule like "If session is new, then 
execute wrapped logic, else - just bypass wrapped block"?


   authorize {

     if (!(&NAS-Port-Type && &NAS-Port-Type == Wireless-802.11)) {
       update request {
         &Module-Failure-Message += 'Rejected: NAS-Port-Type is not 
Wireless-802.11.'
       }
       reject
     }

     rewrite_called_station_id

     if (!Called-Station-SSID) {
       update request {
         &Module-Failure-Message += 'Rejected: No SSID in Called-Station-Id'
       }
       reject
     }

     if ("%{client:vlan_for_%{Called-Station-SSID}}") {
       update session-state {
         Tunnel-Type := VLAN   # rfc3580
         Tunnel-Medium-Type := IEEE-802   #rfc2628
         Tunnel-Private-Group-Id := 
"%{client:vlan_for_%{Called-Station-SSID}}"   # string, rfc2628
       }
     } else {
       update request {
         &Module-Failure-Message += "Rejected: No 
vlan_for_%{Called-Station-SSID} defined for client %{client:shortname}"
       }
       reject
     }

     if (!(&User-Name)) {
       update request {
         &Module-Failure-Message += 'Rejected: User-Name not provided.'
       }
       reject
     }

     eap_wifi {
       ok = return
       updated = return
     }
   }

   authenticate {
     eap_wifi
   }