Microsoft Knowledge Base Article 296094 contains the following summary:

This article describes the steps to set up the Internet Authentication Service (IAS) in Windows 2000 for multiple domain logon sessions by using the Realm Replacement rules. The IAS enables the authentication of user accounts that are located in the same domain as the Remote Authentication Dial-In User Service (RADIUS) server. Also, the IAS can be configured to authenticate users in specific child domains that are in the same Windows 2000 forest.

If the RADIUS server is located in DomainA and the user account that the server is trying to authenticate is in DomainB (a child domain), the user must specify "DomainB\username" during the logon process.

You can use a Realm Replacement rule to specify a user principal name (UPN). The IAS (RADIUS) server searches the global catalog (GC) server for all child domains, and then authenticates the user.