After defining users for MFA with CA Advanced Authentication Mainframe, they are now unable to logon to various applications. It was confirmed their passwords are being entered correctly. Users not defined for CA AAM are able to logon. Maintenance is up to date.

Various errors seen depending on the application:
ACF01072 INVALID LOGON 
MML0004E - The password specified is not authorized
GSVX492A Logon credentials invalid

Turning on debug for CA AAM shows radius authenticate RC = 1 stating the password does not match. 

Password case sensitivity for applications is controlled by the RCVTPLC bit in the RCVT. This is part of the application programming interface and applications such as FTP, Sysview via VTAM, CSM, etc... will uppercase the credential if this bit is not turned on. If the MFA server is expecting a mixed case credential, but receives the credential in uppercase, the validation will fail resulting in an error seen above.

The ACF2 GSO PSWD record PSWDMIXD|NOPSWDMIXD controls whether or not the RCVTPLC bit is on to allow mixed case passwords. Care should be taken when changing this record to specify PSWDMIXD and KD Article 27237: How to set up your ACF2 system to allow Mixed Case Passwords to be used should be followed. 

To resolve this issue without specifying PSWDMIXD, one of the following action can be taken:

1. The credential will not be uppercased if passphrase is enabled and the length of the credential is greater than 8 characters. Configure applications to support passphrase and configure the MFA credential to always be greater than 8 characters.
2. Configure the MFA credential such that it will not include lowercase characters.