[Frater]

ah, yes very true.

I forgot to mention the minor point that I run into MEP routing problems when the Edge box performs its authentication. The RADIUS request packets arrive at our Central IAS but the sender IP that is showing is the Edge outer interface. So any responding traffic is sent through the nearest internet gateway and dies somwere along the way.

Had the Edge box used the internal interface or similar then I would never have this problem since the route to the Edge Lan is published on the corporate network.

I tried Hide NATing the incoming auth requests behind the firewall terminating the VPN, but no luck.