Rewritten user-names won't be authenticated. EAP trouble?

I have two Connection Request Policies

The condition for the first policy is to apply to all usernames that contain "@domain.com" (this is not the AD-domain). This policy will rewrite the user-name attribute to be just whats left of the @ (Find: (.*)@(.*) Replace with: $1), and then authenticate it.

The the second processed Connection Request Policy will not rewrite anything and just authenticate the user.

I have a Network Policy that have specified PEAP with a trusted certificate, MS-CHAP-v2 and MS-CHAP.

When I try to authenticate the user "username@ company.com" the username gets rewritten to "username" but it gets rejected with the following error:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          07.03.2013 12:25:23
Event ID:      6273
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      nps-server.company.com
Description:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
	Security ID: DOMAIN\username
	Account Name: username
	Account Domain: DOMAIN
	Fully Qualified Account Name: domain.company.com/User-Accounts/username
Client Machine:
	Security ID: NULL SID
	Account Name: -
	Fully Qualified Account Name: -
	OS-Version: -
	Called Station Identifier:	-
	Calling Station Identifier:	02-00-00-00-00-01
NAS:
	NAS IPv4 Address:	127.0.0.1
	NAS IPv6 Address:	-
	NAS Identifier:	-
	NAS Port-Type:	Wireless - IEEE 802.11
	NAS Port:		-
RADIUS Client:
	Client Friendly Name: testclient.company.com
	Client IP Address:			192.168.1.9
Authentication Details:
	Connection Request Policy Name: at company.com
	Network Policy Name: Company-Policy
	Authentication Provider: Windows
	Authentication Server: nps-server.company.com
	Authentication Type:		PEAP
	EAP Type:			Microsoft: Secured password (EAP-MSCHAP v2)
	Account Session Identifier:		-
	Logging Results:			Accounting information was written to the local log file.
	Reason Code: 16
	Reason:				Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

It clearly sees that the user exists (finds its Fully Qualified Account Name) and I know the password is correct, but it still rejects it.

Howerer when I try to authenticate the username without @company, just "username" it gets authenticated without any problems.

Why woun't it authenticate usernames after they are rewritten? Is it because i use PEAP with certificate on the server?