Pulse Secure version 9.1R4 (Build 4763)
We are running a POC on using MFA on Pulse secure using Azure MFA. We are having an interesting behaviour that we can't seem to overcome.
1. Web browser access: MFA is working as intended, but if the user doesn't close the browser, pulse is caching the authentication token and allow user to re-connect without password or MFA. Closing the browser seem to resolve this issue. We want to force MFA on every login
2. Pulse VPN client: In most cases, user who successfully MFA once are able to re-established the VPN withouth being challenge with MFA. At first we though, there is a time limit on the Token, but test user are able to reconnect without being challenge with basic username/passord or MFA.
Are the behaviour above normal or as intended? The Pulse VPN is concerning, if the computer is compromise, the attacker can establish VPN into our environment without any issue.
@MCJP76 Both cases are working as expected.
Web browser access: After successful authentication with Azure, user would be receiving a session cookie from Azure IDP which can be used for session resumption i.e. as long as the user doesn't explicitly signout from the browser, that cookie will be presented to Azure to prove the user's authenticity.
Session cookie with no expiration date specified will expire when the browser is closed. Session cookie get deleted in case of manual signout.
Presenting the user with MFA for every login including session resumption has to be checked
on the Azure side (if it's configurable).
Pulse Client access: Embedded browser will store the cookies and the same scenario applies for Pulse client logins.
For both cases, we can enable Single-Logout (SLO) feature on the VPN server which will make the VPN server to send logout requests to Azure in the event of user session termination on the VPN side.
Browser SLO should be working in any version, however Pulse Client SLO will work only when we use 9.1R9 Client.