I have several customers where we are using ISE for VPN authorization only.  This could be the ASA doing only cert authentication but passing the username in the cert over to ISE for authorization or it could be doing MFA during authentication directly to the MFA vendor and then doing authorization over to ISE.

RADIUS has no concept of authorization so in ISE you have to fake your way past authentication.  The easiest way to do that is set the authentication to Internal Users and set the user not found condition to continue.  This works perfectly.  

The issue now in 2.4 is if authentication has a user not found condition ISE is changing the username and RADIUS username field to INVALID so the identity column in the live logs and reports is useless.  The whole idea to send authorization to ISE is for visibility and DACL/SGT control.  Visibility is lost when ISE obliterates the username field with INVALID.  

The actual authorization works perfectly.  This username field was not changed in 2.3.

Is this a known issue in 2.4 or an intentional change?  We are going to get a TAC case going, but wanted to see if this was a known issue.

Thanks.