Hello, I'm configuring a server that is connected to a 389ds (ldap) server and to an AD server for authentication and authorization (on AD, authentication is performed through ntlm_auth and authorization, i.e.group membership checking, through ldap protocol) Authentication is made forcing Auth-Type according to User-Name in the authorize section through a regex if ( "%{User-Name}" =~ /[a-z]+[\.]{1}[a-z]+/) { update control { Auth-Type := ntlm_auth } } else{ update control { Auth-Type := ldap } } and it works, as i can authenticate user scailotto on 389ds and stefano.cailotto on AD with ntlm_auth. Authorization too works flawlessly if In the authorize section I use only one kind of server (ldap1 (389ds) works for user scailotto, ad_corporate_1 works for stefano.cailotto) The main problem arises when radius tries to match group membership for the user, as it always points to AD server. I tried to play with group statements to force using both servers, but with no success. If I understand well debug info, the query is performed starting from the "files" module: the users files contains statements like DEFAULT Ldap-Group == "delivery-ip", Huntgroup-Name == "junos-tac" Juniper-Local-User-Name="level15", Unisphere-Alternate-Cli-Access-Level="15" and so a match between user and groups must be made. My default file is as follows: authorize { preprocess auth_log if ( "%{User-Name}" =~ /[a-z]+[\.]{1}[a-z]+/) { update control { Auth-Type := ntlm_auth } } else{ update control { Auth-Type := ldap } } group { ldap1{ fail=1 notfound=1 } ad_corporate_1{ fail=1 notfound=1 } } files pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } digest unix Auth-Type ldap { redundant { ldap1 ldap2 } } Auth-Type ntlm_auth { ntlm_auth } eap } . . . So, my question is: is there a way to force querying a specific server, according to Auth-Type or User-Name?i.e. User-Name = scailotto -> Auth-Type = ldap -> search group membership on ldap1 User-Name = stefano.cailotto -> Auth-Type = ntlm_auth -> search group membership on ad_corporate_1 (using ldap protocol) I suppose it should somehow be forced in the users files, but can't figure out how... TIA, Stefano -- Stefano Cailotto --------------------------------------------------------------------------- EDALab s.r.l. - Networked Embedded Systems Sede operativa: Via ca Nova Zampieri, 12, 37057 San Giovanni Lupatoto (VR) - Italy Sede legale: Cà Vignal 2, Strada Le Grazie, 15, 37134 Verona - Italy C.F./P.IVA/Iscr. Reg. Imprese di Verona n. 03706250234 Numero REA: VR - 358813 Capitale sociale: 10.000 euro --------------------------------------------------------------------------- email: stefano.cailotto@edalab.it web: http://www.edalab.it | https://www.box-io.com skype: stefano.cailotto tel: +39-045-257-0357 mobile: +39-391-731-0244 ---------------------------------------------------------------------------