Hi,
When I use the unlang condition to check for host in the User-Name, would it go under 'sites-enabled/default' authenticate section?
if thats the main virtual server that requests go through - then yes. would advise that you create your own virtual servers and have the relevant client definitions pointing to them - allowing you trivial isolation of different policies (eg for eduroam, put requests form national proxies straight through a minimal virtual server that starts with permit_only_eap and then just auths - with pap,mschap,etc etc all removed in the outer...and only the required EAP method in inner. no VLAN assign etc etc. then your internal virtual server (for host auth/user auth etc) can have all this stuff for internal requirements... alan