Having trouble with "passwd" authentication

[Darcy Boese]

I've got an old freeradius server that's been plugging along for a
long time. It pulls in the files /etc/passwd /etc/shadow and
/etc/group from an external server, all copied into an /etc/radius/
folder, and authenticates pppoe sessions. I don't need help with this
old server, but I need to replicate its functionality at a new
location.

So I have installed a completely fresh freeradius 3.0 server, and
after a lot of tinkering and quite a bit of hair-pulling, I managed to
get it into a state where it will authenticate usernames and passwords
against the /etc/radius/shadow file.

To get that far, I'd modified the "mods-enabled/passwd" to read:

passwd shadow {
        filename = /etc/radius/shadow
        format = "*User-Name:Crypt-Password:"
        hash_size = 100
        ignore_nislike = no
        allow_multiple_keys = no
}

and in the "sites-available/default" file where it listed "unix"
(approx line 400 in the "authorize" section) I listed "shadow"
instead. Easy peasy, so to speak.

But there's still one major hitch that I cannot seem to get straight.
Getting authentication to work when the username has an attached
"realm" is failing, and I'm utterly boggled for now as to where or
what I need to change, because it's totally different from the old but
still-plugging-along server.

So this works:

radtest <username> <password> localhost 5000 testing123

but this fails:

radtest <username at domain> <password> localhost 5000 testing123

As far as I can gather, there's no "nostrip" option enabled anywhere,
yet the realm isn't being stripped before being matched via the passwd
module.

Help please?