Ok...here is an update to this. I have been on the phone with TAC now for 3+ hours on this issue.
Currently setup:
1. AD only allow 3 login attempts before an account get loccked out.
What we are seeing:
1. Window-7 laptop users account get locked out after failing to input their AD password with one try/attempt.
What TAC found/seeing:
When an user attempted to login into via 802.1x (radius), cppm will take the request coming from the user and send out 2 login attempts to AD. The first login attempt is the username all lowercase login infor (i.e firstname.lastname in our case here). The second attempted is the usermane with the captive letters (i.e Firstname. Lastname).
What we are seeing is there is 3rd attempted. The 3r attempt is has domain information (i.e domain.com/firstname.lastanme). The reason for the 3rd attempt is becauae under our window EAP MSCHAP setting we enable (checkbox) "automatically use my Windows logon name and passward and domain if any".
We have tried to implement the "badPwdCount" like CJoseph" recomend within Clearpass but that doesn't work either since our AD password settting only allow 3 login attempts before locking out.
To do this the attribute command is as follow within clearpass: (&(&(sAMAccountName=%{Authentication:Username})(objectClass=user))(!(badPwdCount>=3)))
Solution: There is none. There is only work around.
1. Bump up the 3 lock out counts to 5 within AD. For us it's not possible because that would require many papper work and approval (audits).
2. Wait till TAC get back with a solutions. It's being escalated now to engineering.
Chan