I am going in circles here and not getting anywhere. I will try to describe what I want to do starting with huntgroups. huntgroup: All NAS-IP-Address == 10.213.226.1 All NAS-IP-Address == 10.213.226.2 All NAS-IP-Address == 10.213.226.3 All NAS-IP-Address == 192.168.224.5 All NAS-IP-Address == 192.168.224.36 All NAS-IP-Address == 172.213.226.46 Bldg1 NAS-IP-Address == 10.213.226.1 Bldg1 NAS-IP-Address == 10.213.226.2 Bldg1 NAS-IP-Address == 10.213.226.3 Bldg1 NAS-IP-Address == 192.168.224.5 Bldg1 NAS-IP-Address == 192.168.224.36 Bldg2 NAS-IP-Address == 172.213.226.46 UnitA NAS-IP-Address == 10.213.226.1 UnitA NAS-IP-Address == 10.213.226.2 UnitA NAS-IP-Address == 10.213.226.3 UnitA NAS-IP-Address == 172.213.226.46 UnitB NAS-IP-Address == 192.168.224.5 UnitB NAS-IP-Address == 192.168.224.36 UnitB NAS-IP-Address == 172.213.226.46 UnitAB NAS-IP-Address == 172.213.226.46 TypeVPN NAS-IP-Address == 192.168.224.5 TypeGW NAS-IP-Address == 192.168.224.36 =========================== Now, what I need is multiple proxy statements for each. For example I want For each group below, in addition to what is listed, I want default to fall through to (proxy to): realm DEFAULT { type = radius authhost = highered.edu accthost = highered.edu nostrip =================== "All" Authenticate with a Null Realm or Authenticate user@generic.edu "Bldg1" Authenticate with a Null Realm or Authenticate user@generic.edu "UnitA" Authenticate with user@unita.generic.edu or Authenticate with Null Realm or Authenticate user@generic.edu But NOT user@unitb.generic.edu "UnitB" Authenticate with user@unitb.generic.edu or Authenticate with Null Realm or Authenticate user@generic.edu but NOT user@unita.generic.edu "UnitAB" Authenticate with user@unita.generic.edu or Authenticate with user@unitb.generic.edu or user@generic.edu or Null realm "TypeVPN" Authenticate ONLY with Null Realm So I can add these as DEFAULT users in the users file, based on huntgroup, but from there I am at a loss as to what entry to put and the config in proxy.conf to match. I think I could do the following users: DEFAULT Huntgroup-Name == TypeVPN, Proxy-To-Realm := realm1.edu DEFAULT Huntgroup-Name == TypeGW, Proxy-To-Realm := realm2.edu DEFAULT Huntgroup-Name == UnitAB, Proxy-To-Realm := realm3.edu DEFAULT Huntgroup-Name == UnitA, Proxy-To-Realm := realm4.edu DEFAULT Huntgroup-Name == UnitB, Proxy-To-Realm := realm5.edu DEFAULT Huntgroup-Name == BLDG1, Proxy-To-Realm := realm6.edu DEFAULT Huntgroup-Name == Bldg2, Proxy-To-Realm := realm7.edu DEFAULT Huntgroup-Name == All, Proxy-To-Realm := realm8.edu But how can I get them to only allow certain @realms? Is there a way to define in here something like this? DEFAULT Huntgroup-Name == UnitA, *@unita.generic.edu Proxy-To-Realm := realm4.edu but then in proxy.conf how can I keep it so it does not allow UnitA users to authenticate on UnitB NAS's (unless it is a UnitAB)but still allows user@generic.edu, Null and DEFAULT proxy as mentioned above? I have looked at the mailing list and found many setups, but none seem to take into account the actual realm a user tries to log into. Thanks. -- Walter Reynolds Principle Systems Security Development Engineer Information Technology Central Services University of Michigan (734)615-9438