diff --git a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c
index 07a538824744..cf8dfe49c1d1 100644
--- a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c
+++ b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c
@@ -580,7 +580,7 @@ static FR_CODE eap_fast_eap_payload(REQUEST *request, eap_session_t *eap_session
 	 * Allocate a fake REQUEST structure.
 	 */
 	fake = request_alloc_fake(request, NULL);
-	rad_assert(!request->packet->vps);
+	rad_assert(!fake->packet->vps);
 
 	t = talloc_get_type_abort(tls_session->opaque, eap_fast_tunnel_t);
 
@@ -588,16 +588,16 @@ static FR_CODE eap_fast_eap_payload(REQUEST *request, eap_session_t *eap_session
 	 * Add the tunneled attributes to the fake request.
 	 */
 
-	MEM(request->packet->vps = fr_pair_afrom_da(fake->packet, attr_eap_message));
-	fr_pair_value_memcpy(request->packet->vps, tlv_eap_payload->vp_octets, tlv_eap_payload->vp_length, false);
+	MEM(fake->packet->vps = fr_pair_afrom_da(fake->packet, attr_eap_message));
+	fr_pair_value_memcpy(fake->packet->vps, tlv_eap_payload->vp_octets, tlv_eap_payload->vp_length, false);
 
 	RDEBUG2("Got tunneled request");
-	log_request_pair_list(L_DBG_LVL_1, request, request->packet->vps, NULL);
+	log_request_pair_list(L_DBG_LVL_1, fake, fake->packet->vps, NULL);
 
 	/*
 	 * Tell the request that it's a fake one.
 	 */
-	MEM(fr_pair_add_by_da(fake->packet, &vp, &request->packet->vps, attr_freeradius_proxied_to) >= 0);
+	MEM(fr_pair_add_by_da(fake->packet, &vp, &fake->packet->vps, attr_freeradius_proxied_to) >= 0);
 	fr_pair_value_from_str(vp, "127.0.0.1", sizeof("127.0.0.1"), '\0', false);
 
 	/*
@@ -607,14 +607,14 @@ static FR_CODE eap_fast_eap_payload(REQUEST *request, eap_session_t *eap_session
 	/*
 	 * No User-Name, try to create one from stored data.
 	 */
-	username = fr_pair_find_by_da(request->packet->vps, attr_user_name, TAG_ANY);
+	username = fr_pair_find_by_da(fake->packet->vps, attr_user_name, TAG_ANY);
 	if (!username) {
 		/*
 		 * No User-Name in the stored data, look for
 		 * an EAP-Identity, and pull it out of there.
 		 */
 		if (!t->username) {
-			vp = fr_pair_find_by_da(request->packet->vps, attr_eap_message, TAG_ANY);
+			vp = fr_pair_find_by_da(fake->packet->vps, attr_eap_message, TAG_ANY);
 			if (vp &&
 			    (vp->vp_length >= EAP_HEADER_LEN + 2) &&
 			    (vp->vp_strvalue[0] == FR_EAP_CODE_RESPONSE) &&
@@ -640,7 +640,7 @@ static FR_CODE eap_fast_eap_payload(REQUEST *request, eap_session_t *eap_session
 
 		if (t->username) {
 			vp = fr_pair_copy(fake->packet, t->username);
-			fr_pair_add(&request->packet->vps, vp);
+			fr_pair_add(&fake->packet->vps, vp);
 		}
 	} /* else the request ALREADY had a User-Name */