So, we need to handle unknown user suffixes to a catch-all user Realm, which in turn proxies to upstream RADIUS servers. We need to do this for external organizations to be able to use our WiFi using their home credentials (we want to participate in eduroam, https://www.eduroam.org/).

So, the setup is like this:

Known user suffix ([email protected]) --> "User may specify the realm name as a username suffix" checked --> correct user realm is chosen --> Done. Doesn't work for unknown suffixes / suffixes that don't match an existing Realm of course.

Now, if I uncheck "User may specify the realm name as a username suffix" I can proxy ALL RADIUS requests, which I don't want for 'local' requests, i.e. requests from [email protected]

If I check ""User may specify the realm name as a username suffix" I cannot use unknown suffixes.

But, how would I authenticate requests with a suffix @our-organization.org locally and proxy all the other requests? Can this be done with Policy Secure?

TL;DR

.) [email protected] needs to be authenticated against our LDAP directory
.) [email protected] needs to be proxied to upstream RADIUS.

Same authentication protocol set in both cases.

I don't think so but would like to have a second opinion.