I've recently had a scenario where a customer wants to implement RADIUS-based authentication, but would like to fallback to a LOCAL (i.e. on-box) authentication if and when the RADIUS is unavailable.
The PCS is replacing their old Cisco box and they are not willing to remove this feature.
To detail a bit: - users only connect using Pulse Secure Client on Windows or Mac - users only use a single URL - users authenticate using username/password - credentials must be validated against a list of radius servers * IF no radius replies, PCS must run the credentials against the internal database; no other external requests must be made * local authentication should NEVER be available if radius server(s) is(are) functional (i.e. port open, replies coming for each request)
This final two points (with a *) have posed a bit of a problem, as there does not seem to be a way to select a second fallback authentication method.