I tried something similar i used attr_rewrite to replace the bad parts of User-Name with the modified correct values, it, however because i am using eap-ttls, i got an eap errorwell, you can use regexp/attr_filter to look for these systems and then just chop off the activedirectorydomain.domain.domain. part thus allowing the AD REALM to be forced by yourselves.
"rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler"can you point me to a doc where the attr_filter is explained better? from reading the comments/documentation i got the impression it was primarily used for proxying, and wouldn't work for other things...
Joe