Looking in the TA default/props.conf line 381
EVAL-action = if(isnull(access_policy_result), null, if(access_policy_result="Logon_Deny","blocked","allowed"))
Looks like it should default to "allowed" unless the deny action is reached.
I would raise a support case to Splunk as this is a bug -> http://docs.splunk.com/Documentation/CIM/4.12.0/User/Authentication
... View more