This replaces the EAP-Identity with the EAP-MSCHAPv2 username, which
ensures the client is known with an authenticated identity. Previously
a client with a valid username could use a different identity (e.g. the
name of a different user) in the EAP-Identity exchange. Since we use
the EAP-Identity for uniqueness checks etc. this could be problematic.
The EAP-MSCHAPv2 username is now explicitly logged if it is different
from the EAP-Identity (or IKE identity).
Fixes #1182.