We recenlty identified our Pulse secure is allowing locked/disabled AD accounts to connect to VPN. We use certificate authentication and pulse validate the cert and it allows users to connect even if user account is locked out or disabled.
we writted a custom expression rule in Pulse to check the status of the account in AD to block if any users account is locked/disabled by assigned no role.
userAttr.lockouttime != 0 - Worked as expected.
userAttr.msDS-UserAccountDisabled != 0 -- > Disabled user account still connect to VPN. Please suggest. Thanks in advance.
version : 9.0R4.1 - PSA7000c.
Solved! Go to Solution.
Finally we found a solution for this, we added custom expression rule in role mapping to block disabled user account by assingned no role.
userattr.userAccountControl != 512
Hi @kcsvignesh ,
Beside using Cert Auth on the user realm, you could also do Active Directory for user.
If then a user is locked, it isn't able to log in. You can then also do rolemapping based on LDAP group attributes.
Hope this works :-)
Finally we found a solution for this, we added custom expression rule in role mapping to block disabled user account by assingned no role.
userattr.userAccountControl != 512