There are some stuations in which it is necessary to use as a RADIUS username the combination of name + domain. For instance [email protected], instead of the usual myuser

This might be the case for some RADIUS server which use logins provisioned from Active Directory. In these cases the users may be imported into PAM with their Active Directory attributes (that is, CN, UPN, sAMAccountName) but still RADIUS may require not just the username, but also the domain to authenticate the user.

The question is whether this will work in PAM

This will not work the way the product is designed: whenever a user is imported from Active Directory, the username is the DN, so in canonical form (e.g. CN=myuser, DC=example, DC=com), and PAM will also store the sAMAccountName, that is myuser.

If we are trying to authenticate with RADIUS [email protected] that will be authenticated OK in RADIUS, but when getting to PAM, it will try to look in the database for [email protected]@example.com, that is, it will append again the domain name to the username, and hence it won't be able to find a matching group where it can fit the user and a message about the user not being registered will be shown.

Changing this behaviour would imply modifying the way in which CA PAM chooses the domain at login or when it manages LDAP user groups and it must be considered as an enhacement request.