Hi,
I previously had to allow Active Directory users to authenticate from some domain with unqualified usernames.
I simply forked the LDAP module already present in FreeRADIUS, and removed any authentication part, since it won't be used here.
The configuration of the forked module also contains a new "realm" variable.
The module already handle the search for you, so if the user was found, I appended to the username @realm variable that was specified in the configuration file.
Now that you have a qualified username, simply configure the FreeRADIUS to proxy the users for that domain, and configure the NPS service on your Active Directory.
The key part is to call the suffix module after the custom LDAP module, so everything will go smoothly.
If I remember correctly, you'll have to tune a bit the LDAP configuration on the Active Directory or it will not respond in case of too much connections.
PS: don't pay attention to the Kerberos part, the FreeRADIUS did have to handle accounts that had MIT Kerberos profiles too, but that's not the topic here =)
Regards.