Security

Anyone seen this before.? 
Trying to migrate a customer to use EAP-TEAP but starting slow and validating EAP-PEAP works first to make sure role derivation and vlan's are properly assigned but running into this issue below.

Interesting thing is if I forget the SSID and attempt to double click it, it will do machine auth only anda connect, role assigned and in the proper vlan. 

Is the Output of the Enforcement, in this case, as expected?

You would likely want to review [in your AD Auth Source] the configured attributes and thus the LDAP filter. This may show you why this query is running away. The LDAP server has a max as to what it will return. 

Anyone seen this before.? 
Trying to migrate a customer to use EAP-TEAP but starting slow and validating EAP-PEAP works first to make sure role derivation and vlan's are properly assigned but running into this issue below.

Interesting thing is if I forget the SSID and attempt to double click it, it will do machine auth only anda connect, role assigned and in the proper vlan. 

yup for sure. Filter is as follows which is a slight modification the standard filter.
(&(&(sAMAccountName=%{Authentication:Username})(objectClass=user))(!(badPwdCount>=4)))

We also tried 
(|(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))(&(objectClass=user)(userPrincipalName=%{Authentication:Username}))(!(badPwdCount>=4)))

Attributes are standard. 

Is the Output of the Enforcement, in this case, as expected?

You would likely want to review [in your AD Auth Source] the configured attributes and thus the LDAP filter. This may show you why this query is running away. The LDAP server has a max as to what it will return. 

Anyone seen this before.? 
Trying to migrate a customer to use EAP-TEAP but starting slow and validating EAP-PEAP works first to make sure role derivation and vlan's are properly assigned but running into this issue below.

Interesting thing is if I forget the SSID and attempt to double click it, it will do machine auth only anda connect, role assigned and in the proper vlan. 

Do you see the "error=4" message if if you remove the badpwdcount filter check/restriction?

If so you may add (objectCategory=person) to the filter as well to narrow down further. 

yup for sure. Filter is as follows which is a slight modification the standard filter.
(&(&(sAMAccountName=%{Authentication:Username})(objectClass=user))(!(badPwdCount>=4)))

We also tried 
(|(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))(&(objectClass=user)(userPrincipalName=%{Authentication:Username}))(!(badPwdCount>=4)))

Attributes are standard. 

Is the Output of the Enforcement, in this case, as expected?

You would likely want to review [in your AD Auth Source] the configured attributes and thus the LDAP filter. This may show you why this query is running away. The LDAP server has a max as to what it will return. 

Anyone seen this before.? 
Trying to migrate a customer to use EAP-TEAP but starting slow and validating EAP-PEAP works first to make sure role derivation and vlan's are properly assigned but running into this issue below.

Interesting thing is if I forget the SSID and attempt to double click it, it will do machine auth only anda connect, role assigned and in the proper vlan. 

If I remove the badpwdcount, I only do machine auth and it works. Meaning, I forget the SSID and I double click it to connect....doesn't prompt me for user/pass. 
Before removing the badpwdcount, it prompted me for user/pass, rejected. 

Query now looks like this (not sure if its correct) but it returns a result when doing a search in the filter. 
(|(&(objectCategory=person)(&(objectClass=user)(sAMAccountName=%{Authentication:Username})))((&(objectCategory=person)&(objectClass=user)(userPrincipalName=%{Authentication:Username}))))

trying authentication now and it fails....

scratching my head....

FYI - Their AD is a mess....

Do you see the "error=4" message if if you remove the badpwdcount filter check/restriction?

If so you may add (objectCategory=person) to the filter as well to narrow down further. 

yup for sure. Filter is as follows which is a slight modification the standard filter.
(&(&(sAMAccountName=%{Authentication:Username})(objectClass=user))(!(badPwdCount>=4)))

We also tried 
(|(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))(&(objectClass=user)(userPrincipalName=%{Authentication:Username}))(!(badPwdCount>=4)))

Attributes are standard. 

Is the Output of the Enforcement, in this case, as expected?

You would likely want to review [in your AD Auth Source] the configured attributes and thus the LDAP filter. This may show you why this query is running away. The LDAP server has a max as to what it will return. 

Anyone seen this before.? 
Trying to migrate a customer to use EAP-TEAP but starting slow and validating EAP-PEAP works first to make sure role derivation and vlan's are properly assigned but running into this issue below.

Interesting thing is if I forget the SSID and attempt to double click it, it will do machine auth only anda connect, role assigned and in the proper vlan. 

Is your Service configured for EAP-PEAP only as of now?

Not prompting you for a password maybe a different issue. 

I may suggest trying a Clean Auth (out of the box) AD Auth Source configuration first, before adding any additional filters or the badpwdcount function. 

Is your priority Machine Auth or User Auth? 

If I remove the badpwdcount, I only do machine auth and it works. Meaning, I forget the SSID and I double click it to connect....doesn't prompt me for user/pass. 
Before removing the badpwdcount, it prompted me for user/pass, rejected. 

Query now looks like this (not sure if its correct) but it returns a result when doing a search in the filter. 
(|(&(objectCategory=person)(&(objectClass=user)(sAMAccountName=%{Authentication:Username})))((&(objectCategory=person)&(objectClass=user)(userPrincipalName=%{Authentication:Username}))))

trying authentication now and it fails....

scratching my head....

FYI - Their AD is a mess....

Do you see the "error=4" message if if you remove the badpwdcount filter check/restriction?

If so you may add (objectCategory=person) to the filter as well to narrow down further. 

yup for sure. Filter is as follows which is a slight modification the standard filter.
(&(&(sAMAccountName=%{Authentication:Username})(objectClass=user))(!(badPwdCount>=4)))

We also tried 
(|(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))(&(objectClass=user)(userPrincipalName=%{Authentication:Username}))(!(badPwdCount>=4)))

Attributes are standard. 

Is the Output of the Enforcement, in this case, as expected?

You would likely want to review [in your AD Auth Source] the configured attributes and thus the LDAP filter. This may show you why this query is running away. The LDAP server has a max as to what it will return. 

Anyone seen this before.? 
Trying to migrate a customer to use EAP-TEAP but starting slow and validating EAP-PEAP works first to make sure role derivation and vlan's are properly assigned but running into this issue below.

Interesting thing is if I forget the SSID and attempt to double click it, it will do machine auth only anda connect, role assigned and in the proper vlan.