diff --git a/awx/sso/backends.py b/awx/sso/backends.py
index aef33911cf..645bb40546 100644
--- a/awx/sso/backends.py
+++ b/awx/sso/backends.py
@@ -138,7 +138,9 @@ class RADIUSBackend(BaseRADIUSBackend):
         if not feature_enabled('enterprise_auth'):
             logger.error("Unable to get_user, license does not support RADIUS authentication")
             return None
-        return super(RADIUSBackend, self).get_user(user_id)
+        user = super(RADIUSBackend, self).get_user(user_id)
+        if not user.has_usable_password():
+            return user
 
     def get_django_user(self, username, password=None):
         try:
@@ -190,7 +192,9 @@ class TACACSPlusBackend(object):
             logger.exception("TACACS+ Authentication Error: %s" % (e.message,))
             return None
         if auth.valid:
-            return self._get_or_set_user(username, password)
+            user = self._get_or_set_user(username, password)
+            if not user.has_usable_password():
+                return user
         else:
             return None
         return None
diff --git a/awx/sso/tests/unit/test_tacacsplus.py b/awx/sso/tests/unit/test_tacacsplus.py
index 33625a8dd7..58f5ae8c92 100644
--- a/awx/sso/tests/unit/test_tacacsplus.py
+++ b/awx/sso/tests/unit/test_tacacsplus.py
@@ -50,16 +50,35 @@ def test_client_return_invalid_fails_auth(tacacsplus_backend, feature_enabled):
         assert ret_user is None
 
 
+def test_user_with_password_fails_auth(tacacsplus_backend, feature_enabled):
+    auth = mock.MagicMock()
+    auth.valid = True
+    client = mock.MagicMock()
+    client.authenticate.return_value = auth
+    user = mock.MagicMock()
+    user.has_usable_password = mock.MagicMock(return_value=True)
+    with mock.patch('awx.sso.backends.django_settings') as settings,\
+            mock.patch('awx.sso.backends.feature_enabled', feature_enabled('enterprise_auth')),\
+            mock.patch('tacacs_plus.TACACSClient', return_value=client),\
+            mock.patch.object(tacacsplus_backend, '_get_or_set_user', return_value=user):
+        settings.TACACSPLUS_HOST = 'localhost'
+        settings.TACACSPLUS_AUTH_PROTOCOL = 'ascii'
+        ret_user = tacacsplus_backend.authenticate(u"user", u"pass")
+        assert ret_user is None
+
+
 def test_client_return_valid_passes_auth(tacacsplus_backend, feature_enabled):
     auth = mock.MagicMock()
     auth.valid = True
     client = mock.MagicMock()
     client.authenticate.return_value = auth
+    user = mock.MagicMock()
+    user.has_usable_password = mock.MagicMock(return_value=False)
     with mock.patch('awx.sso.backends.django_settings') as settings,\
             mock.patch('awx.sso.backends.feature_enabled', feature_enabled('enterprise_auth')),\
             mock.patch('tacacs_plus.TACACSClient', return_value=client),\
-            mock.patch.object(tacacsplus_backend, '_get_or_set_user', return_value="user"):
+            mock.patch.object(tacacsplus_backend, '_get_or_set_user', return_value=user):
         settings.TACACSPLUS_HOST = 'localhost'
         settings.TACACSPLUS_AUTH_PROTOCOL = 'ascii'
         ret_user = tacacsplus_backend.authenticate(u"user", u"pass")
-        assert ret_user == "user"
+        assert ret_user == user