Came across this strange behavior when some users entering their username, either on ISE Portal screen or while connecting to wireless network, were failing Active Directory (AD) authentication with invalid password error message. Password and account lockout checked out fine. If user was to add domain/ prefix then authentication was successful but other users were able to authenticate without it just fine. Taking a closer look at the ISE authentication logs reviled for failed attempts username being appended with a dollar sign “$” while successful logons were listed correctly.
While checking online I found out that the sAMAccountName attribute of a computer object is the NetBIOS name of the computer with a trailing dollar sign, “$”, appended. Besides flagging the object as a computer (which has class user), it also helps ensure uniqueness.
This made me think there is most likely a computer account in AD that matches username and causes ISE to fail authentication against computer account password and of course, there was. DisplayName attribute also had a dollar sign at the end.
There are a few ways to address this issue.
- Run report through AD computer objects to identify duplicates and work on renaming all computer accounts to something other than user account.
- Instruct users to user domain/ prefix when trying to authenticate with username.
- Authenticate users only in specific AD group by modifying authorization rule.