Hi All, I'm trying to get into the unlang world since it seems really powerful but I can't get my hands around a simple virtual server switching scenario. I basically want to switch to a virtual server based on some attributes, Service-Type for instance. This is because on some network hardware I can't add a radius server for every type of authentication. So everything (802.1x, mac-auth, prompt auth goes to the same server) I found a thread suggesting to do the following: (http://freeradius.1045715.n5.nabble.com/virtual-servers-tt2769141.html) authorize { switch "Service-Type" { #MAC authentication case 'Call-Check' { update control { server[mac-auth] } } #NAS console authentication case 'NAS-Prompt-User' { update control { server[mac-auth] } } } } This works as the debug logs shows: # Executing section authorize from file /etc/freeradius/sites-enabled/nas-auth However it only executes the authorize section of the nas-auth virtual server. I could create realms for the virtual servers and proxy to them by using Proxy-To-Realm := "mac-auth" instead of the server[] directive. But I kind of liked the minimal unlang approach. Is there any good way of accomplishing this purely with unlang or is it still best to use the proxying approach using realms? Here's a log of the process. As you can see it only issues the authorize section of the nas-auth virtual server as apposed to going through the full server when using Proxy-To-Realm. rad_recv: Access-Request packet from host 10.6.254.62 port 1025, id=152, length=95 User-Name = "testusr" User-Password = "testpwd" NAS-IP-Address = 10.6.254.62 NAS-Identifier = "ST-AN07258-412" NAS-Port-Type = Virtual Service-Type = NAS-Prompt-User Message-Authenticator = 0x63ee5e1b0f7b81e883780f9e57c2941c # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++- entering switch Service-Type {...} +++- entering case NAS-Prompt-User {...} server nas-auth { # nested call # Executing section authorize from file /etc/freeradius/sites-enabled/nas-auth +- entering group authorize {...} ++? if (Service-Type == 'NAS-Prompt-User') ? Evaluating (Service-Type == 'NAS-Prompt-User') -> TRUE ++? if (Service-Type == 'NAS-Prompt-User') -> TRUE ++- entering if (Service-Type == 'NAS-Prompt-User') {...} [edir-ldap] performing user authorization for testusr [edir-ldap] expand: %{Stripped-User-Name} -> [edir-ldap] ... expanding second conditional [edir-ldap] expand: %{User-Name} -> testusr [edir-ldap] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) -> (cn=testusr) [edir-ldap] expand: ou=users,o=radius -> ou=users,o=radius [edir-ldap] ldap_get_conn: Checking Id: 0 [edir-ldap] ldap_get_conn: Got Id: 0 [edir-ldap] performing search in ou=users,o=radius, with filter (cn=testusr) [edir-ldap] checking if remote access for testusr is allowed by cn [edir-ldap] Added the eDirectory password testpwd in check items as Cleartext-Password [edir-ldap] No default NMAS login sequence [edir-ldap] looking for check items in directory... [edir-ldap] looking for reply items in directory... [edir-ldap] user testusr authorized to use remote access [edir-ldap] ldap_release_conn: Release Id: 0 +++[edir-ldap] returns ok ++- if (Service-Type == 'NAS-Prompt-User') returns ok ++ ... skipping else for request 4: Preceding "if" was taken } # server nas-auth with nested call ++++[server[nas-auth]] returns ok +++- case NAS-Prompt-User returns ok ++- switch Service-Type returns ok WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request is correct. Login OK: [testusr] (from client primary-network port 0) # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop ++? if ("%{request:Calling-Station-Id}" =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i ) expand: %{request:Calling-Station-Id} -> ? Evaluating ("%{request:Calling-Station-Id}" =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i) -> FALSE ++? if ("%{request:Calling-Station-Id}" =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i ) -> FALSE ++[callingstationid2vlanid] returns notfound ++? if (ok) ? Evaluating (ok) -> FALSE ++? if (ok) -> FALSE ++[reply] returns notfound Sending Access-Accept of id 152 to 10.6.254.62 port 1025 Service-Type = Framed-User Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "132" Rg, Arnaud-- Stichting z25.org Concordiastraat 67A 3551 EM Utrecht The Netherlands +31-(0)6-41861063