We have Cisco ISE servers (2.3.0.298) consuming AD as an external identity provider via EAP-MSCHAPv2 w/ NTLMv2.
Every authentication request via these servers is generating a pair of 4776 events: one success, and one failure with the reason "Bad Username" (0x0000064). The user is authenticated via ISE without issue.
The events always list the "Source Workstation" as the ISE server and the username is valid, and both events happen milliseconds apart and always in pairs.
There is a single Cisco article that claims this is default behavior for Domain Controllers -- to first consult a local database before sending the lookup to he domain. Does anyone know if this is accurate? It seems odd to me that we would only see this
behavior from RADIUS requests. I have also read that MS-RPC authentication requests may generate duplicate events, but I don't think it's possible to use Kerberos with MSCHAPv2.
Anyone have any insight at all?