specifying back end to proxy on per-user basis

[Greg Woods]

We have a freeradius instance that talks to the world, and proxies
requests to a back end server that does token authentication via the
"otp" module. This all works fine. What we need is something we can do
when a user forgets or loses their card. We thought to use S/key for
this. To that end, I have another back end server that does s/key
authentication via a PAM module. This too works, but I have to find a
way to specify in the front end proxy on a per-user basis which back end
server should be used.

The first step to doing this was to set up a realm for the s/key server.
In the proxy.conf file for the front end proxy, the NULL realm has
authhost and secret are set up for the otp back end server. I created an
SKEY realm that sets authhost and secret for the s/key back end server.
So far so good; I can run "radtest" against the front end proxy server,
and if I specify "user at SKEY" as the username, it proxies to the s/key
back end and everything works great.

The problem is that I can't figure out the magic incantation for the
proxy front end to tell it that certain users should be in the SKEY
realm. Am I basically on the right track as to the correct way to
accomplish what I want? If so, what is the magic incantation to specify
which users should be in the SKEY realm? If somebody could just point me
down the right path, I'll be happy to read the relevant documentation to
come up with the correct syntax, but I haven't found it yet.

Thanks,
--Greg