Hi bradk,
You got it right, All you need to do is in the sign-in page policy map the sign-in URL with two realms ( One Realm which holds certificate server for machine authentication and Another Realm holds the RADIUS Server for user authentication)
For example,
Bradk-CERT-Realm >>> Certificate Authentication Server to authenticate Machines using Machine Certificates
Bradk-RADIUS-Realm >>> RADIUS server to authenticate Users using user credentials (With correct Role mappings)
In the VPN Connections page select MACHINE/USER option from the drop-down list. You will see this,
Machine Connection Preferences:
Preferred Machine Realm: Bradk-CERT-Realm
User Connection Preferences:
Preferred User Realm: Bradk-RADIUS-Realm
Save Changes and Push the configuration to the pulse client either through browser session or Pre-config method (JAMUI Command)
[ FYI, You can do machine authentication using Machine Acoount if the Machine is Domain-Joined (Active Directory). To achieve this all your need is to create a AD Authentication server with realm and map this realm in the Preferred Machine Realm option. Thats it. ]
In the background, Whenever the machine boots it will automatically authenticates using the machine certificate/account and when the user attempts to sign-in to that machine ( As soon as the user triggers the login page to appear), the machine tunnel will be teared down and user tunnel will be formed, if the credentials provided by the user is valid.
Thanks,
Ray.

Pulse Connect Secure Certified Expert