Im looking to implement a PSA3000 but not sure on the best approach for the authentication server. I ould like to use AD and have a second google authenticator to login to the portal. This is nice as users just have one username and password to remember.
My issue is if users forget their domain password or the password expires. We have an on prem password system for users changing password but of course they have to be on the network for them to access that. If they can not connect onto the pulse secure then they can not reset the password.
We could use a local server for auth but that would require every user to have 2 passwords.
Is there a better sollution?
You can turn on password management. See https://docs.pulsesecure.net/WebHelp/PCS/8.3R3/Content/PCS/PCS_AdminGuide_8.3/Using_the_LDAP_Passwor...
You'll basically need to create an LDAP server under Auth Servers and point it to your AD server. Then at Realm level, you can enable Password Management under Authentication Policy > Password:
Assuming they can connect (just bear with me here), how would they do the domain reset? Would they do this via some security challenge?
One of the things that can be done is to set up a sign in policy/realm that does an Anonymous connection back to the application you are using to the reset. End user gets presented with the challenge and they take care of the reset.
If you want to see this in action, send me a direct message and we'll set up a confcall and I'll show you how it's done.
Unfortunately, this is not possible. Once you select Anonymous, you really can't pass in a username to be used against the Google Auth.
I understand your concern but we have many customers doing this. They create a web ACL so only the reset application is accessible. Also, that isn't useable unless the end user knows his security. You can also add some more checks and only allow access during work hours, etc.