server inner-tunnel-second {

authorize {
	eap_tnc {
		ok = return
	}
}

authenticate {
	eap_tnc
}

session {
	radutmp
}

post-auth {
	if (control:TNC-Status == "Access") {
		update reply {
			Tunnel-Type := ESP
			Filter-Id := "allow"
		}
	}
	elsif (control:TNC-Status == "Isolate") {
		update reply {
			Tunnel-Type := ESP
			Filter-Id := "isolate"
		}
	}

	Post-Auth-Type REJECT {
		attr_filter.access_reject
	}
}

} # inner-tunnel-second block