We are migrating from NPS to FreeRADIUS this summer for our eduroam wireless network. During a transition period I need to proxy clients using the old configuration to the NPS servers. I am doing this based on outer identity - the old config lacks outer identity configuration while the new one specifies anonymous-202106. This is the logic from the outer tunnel authorize section: if (&User-Name == "anonymous-202106" || &User-Name == " anonymous-202106@stolaf.edu" || &User-Name == "STOAD\anonymous-202106") { # Authenticate the request locally noop } elsif (&User-Name =~ /stolaf\.edu/ || &User-Name =~ /STOAD/) { update { control:Proxy-To-Realm := 'nps_servers' request:Operator-Name := "1${operator_name}" } return } The above works well for our old and new client configs. (There is some additional logic not shown for the case of eduroam guests.) We have one local realm, stolaf.edu. If I configure this as a realm in proxy.conf, FR tries to authenticate all requests, from old and new clients. If I comment it out, I do not get a realm in my log messages for local authentications (i.e. new clients). Is my approach above sound? Is there a better way of achieving the above goal using realm config or something else? Thanks! -- *Tony Skalski* System Administrator | IT *Office: *507-786-3227 <(507)786-3227> 1510 St. Olaf Avenue Northfield, MN 55057 stolaf.edu