Yes, captive portal group uses both internal and RADIUS server. Fail through is enabled.
Our configuration has remained consistent for 3-4 years.
We've only started receiving these complaints since upgrading to 6.4.2.3.
I've been able to duplicate the issue:
1) login with guest account using incorrect password - check local events log and see failure at internal server/db;
2) try again, see failure at RADIUS server;
3) each subsequent attempt goes directly to RADIUS server, even if I enter a new user name.
The only way I've been able to fix the issue to to go to CLI of the controller and remove client with the "aaa user delete mac" command. After that, login will then attempt to hit the internal server/db.
Users have turned off their wi-fi, and rebooted devices, and problem still remains.
My problem is that I have 180+ locations, and the support process usually means that the user is gone by the time a ticket reaches me. I'll have another user on-site try to login and they are successful, so problem appears to be fixed.....of course I can't prove the other user provided an invalid password on the first attempt.