Proxying only specific requests within a single realm

[Tony Skalski]

We are migrating from NPS to FreeRADIUS this summer for our eduroam
wireless network. During a transition period I need to proxy clients using
the old configuration to the NPS servers. I am doing this based on outer
identity - the old config lacks outer identity configuration while the new
one specifies anonymous-202106. This is the logic from the outer tunnel
authorize section:

        if  (&User-Name == "anonymous-202106" || &User-Name == "
anonymous-202106 at stolaf.edu" || &User-Name == "STOAD\anonymous-202106") {
                # Authenticate the request locally
                noop
        } elsif (&User-Name =~ /stolaf\.edu/ || &User-Name =~ /STOAD/) {
                update {
                        control:Proxy-To-Realm := 'nps_servers'
                        request:Operator-Name := "1${operator_name}"
                }
                return
        }

The above works well for our old and new client configs. (There is some
additional logic not shown for the case of eduroam guests.)

We have one local realm, stolaf.edu. If I configure this as a realm in
proxy.conf, FR tries to authenticate all requests, from old and new
clients. If I comment it out, I do not get a realm in my log messages for
local authentications (i.e. new clients).

Is my approach above sound? Is there a better way of achieving the above
goal using realm config or something else?

Thanks!

-- 
*Tony Skalski*
System Administrator | IT

*Office: *507-786-3227 <(507)786-3227>
1510 St. Olaf Avenue Northfield, MN 55057
stolaf.edu