I have regex in my /etc/raddb/site-enabled/default authorize section as : if (User-Name =~ /^([^@]*)@([-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) { # user has a valid-looking realm update request { Stripped-User-Name := "%{1}" #Realm = "%{tolower:%{2}}" Realm = "%{toupper:%{2}}" #Realm = "%{2}" } } else { # malformed NAI update reply { Reply-Message := "malformed username " } reject } if (Realm == example.com) { update control { Proxy-To-Realm := LOCAL } } else { update control { Proxy-To-Realm := DEFAULT } } This is working well, with example.com. but when user sends user@a.example.com then it sends to DEFAULT which send to UPstream radius server. So, what shall I do a.example.com, b.example.com (valid sub-domain) not to send upstream server ? I tried enabling in proxy.conf realm "~(.*\\.)*example\\.com$" { } no luck. any hint or point on this ?