We are to configure AAA to our pulse secure box but i was struggling to find a way to configure a secondary authentication if the ACS server fails. Should I create 2 realms - one with AAA authentication and the other with local authentication? Because I did not find any online articles regarding this.
If you want to configure fallback for authentication (in cases where the primary server fails) then is has to be done using the primary/secondary fields within the authentication server instance definition (for example when you configure a radius or LDAP server on PCS device you will see the primary/secondary auth server fields)
However you cannot configure the device such that if Primary auth server fails (example: radius) then fallback to another completely different auth server (example LDAP or local auth)
Well thank you. Else i would have wasted a lot of time for this. It seems we figured out an alternative , by creating another sign in policy that authenticates via aaa, while the default page authenticates via the local database.
I'm glad it helped, I'm sure you are aware but I'll mention it incase you missed it. With the setup you mentioned as alternative a potential downside is that end-users may always go the sign-in page that is configured for local database (local auth server) even if the LDAP/Radius or other external Auth server is available.