> I moved sql module call from "authorize" to "post-auth"
What if you leave sql in authorize of the default virtual server, but wrap it with unlang that only calls it if you're not doing EAP. Then, always call it in the inner-tunnel virtual server's authorize section. The inner-tunnel authorize is after the TLS tunnel is formed so it seems that this would eliminate the redundant database calls that occur in the default virtual server while the tunnel is being setup. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
