3.2.5.1.3 MS-User-Security-Identity

If the RADIUS User-Name attribute ([RFC2865] section 5.1) is found in the request, the RADIUS server MUST ignore this attribute. Otherwise, the RADIUS server SHOULD convert the SID to a Fully Qualified User Name using Active Directory Domain Services (AD DS). Once the Fully Qualified User Name is available, the server MUST follow the same processing rules specified in section 3.2.5.1.1. If the server fails to obtain the Fully Qualified User Name from AD DS, the server SHOULD send an Access-Reject message back to the NAS and stop processing.

For more details about this attribute, see section 2.2.1.3.