Hi mwarnier, I think your users are trying to authenticate from a domain-joined (AD) machine using credential provider, you will be sending the username in \ format to AD to authenticate and the same will cached by the credential provider. While users are authenticating the exact format will be provided as username by credential provider however the LDAP Server only looks for attribute which you configured such as samaccountname or userprincipalname, this is the reason it's failing. As a workaround, try editing any attribute for eg. "comment" and enter the value as "DOMAIN\USERNAME" then change the attribute as "comment=" in your LDAP server. It will work! I tried this in my lab. However it's not feasible if you're having huge number of customers. So, If possible, use AD auth server. Thanks, Ray. ... View more

Hi skinnieh, "Does that mean the Pulse Desktop Client will always try the first line (primary) first and then move on to the 2nd (DR)?" --- Yes, That's Right. "For your second question" --- If the first URL responds fine then pulse won't fallback to the second URL & NO, pulse won't take it as a failure if the backend auth server is offline. Regards, Ray. ... View more

This is not a issue, since pre-authentication host checker policy will be running before user authentication (Realm Level) the PCS server doesn't know who the user is. This is the expected behaviour, if it's a post-authentication policy (Role level) PCS server would have known the user who is authenticated and will display the realm & username. ... View more

Hi crstr, Yes, you can directly upgrade. See the upgrade paths in 8.3R2.1 PCS Release Notes https://www.pulsesecure.net/download/techpubs/current/981/pulse-connect-secure/pcs/8.3rx/pcs_relnotes_8.3r2.1.pdf Thanks, Ray. ... View more

Sorry to hear about that, I guess pulse secure support engineers would have raised a ticket with OPSWAT by now and get you a fix soon. I'm sorry that i can't do anything to fix this issue as this has to deal with their Engineering Team. Regards, Ray. ... View more

Hi Imran33, Refer the document below to understanding this behaviour. https://docs.pulsesecure.net/WebHelp/Home.htm#PCS/PCS_AdminGuide_8.2/VPN Tunneling Proxy Support.htm?Highlight=proxy pac Thanks, Ray. ... View more

I gone through the case notes and logs. As a workaround, >>> Use V4 SDK >>> Host checker policy - In drive configuration details select "Specific Drives" and check only "Macintosh HD" drive. Give this a try and tell me what happens. Thanks, Ray. ... View more

Hi romcan, Yes, ESAP 3.1.4 V3 has FileVault 10.13 as supported. Was it working before? or is it a new setup? Which version of ESAP are you using V3 or V4? If possible, Please upload the Client-side debug logs & ESAP Diagnostic logs. Thanks, Ray. ... View more

Hi Bradk, Sorry I forgot to mention this, as you said "At some point I had it configured so it was prompting for credentials, but if it failed (or I hit cancel), then the entire connection failed. I need it to be always connected via machine cert and then have the option of logging on interactively with user credentials, always falling back to the always on mode. I must be missing something somewhere." You were are not missing anything, This is how it works; if the user tried to authenticate the existing machine tunnel will be teared down. From that point, only user tunnel can be formed. There is no fallback mechanism that facilitates to bring back the machine tunnel if the user authentication fails. Thanks, Ray. ... View more

Hi bradk, You got it right, All you need to do is in the sign-in page policy map the sign-in URL with two realms ( One Realm which holds certificate server for machine authentication and Another Realm holds the RADIUS Server for user authentication) For example, Bradk-CERT-Realm >>> Certificate Authentication Server to authenticate Machines using Machine Certificates Bradk-RADIUS-Realm >>> RADIUS server to authenticate Users using user credentials (With correct Role mappings) In the VPN Connections page select MACHINE/USER option from the drop-down list. You will see this, Machine Connection Preferences: Preferred Machine Realm: Bradk-CERT-Realm User Connection Preferences: Preferred User Realm: Bradk-RADIUS-Realm Save Changes and Push the configuration to the pulse client either through browser session or Pre-config method (JAMUI Command) [ FYI, You can do machine authentication using Machine Acoount if the Machine is Domain-Joined (Active Directory). To achieve this all your need is to create a AD Authentication server with realm and map this realm in the Preferred Machine Realm option. Thats it. ] In the background, Whenever the machine boots it will automatically authenticates using the machine certificate/account and when the user attempts to sign-in to that machine ( As soon as the user triggers the login page to appear), the machine tunnel will be teared down and user tunnel will be formed, if the credentials provided by the user is valid. Thanks, Ray. ... View more

Hi bradk, Enabling Pre-Desktop login (credential Provider) works when you selected USER or MACHINE/USER option however that does not need any user certificate to authenticate. Authentication method is determined by the realm(s) which are associated with your sign-in URL so as per your setup, you're already using a machine realm to support machine authentication, now all you need is to create a new realm with RADIUS authentication and corresponding role mappings and input the realm and role details in preferred realm set and roles. https://docs.pulsesecure.net/WebHelp/Home.htm#PCS/PCS_AdminGuide_8.2/Pulse Secure Connection Realm.htm?Highlight=machine or user authentication Credential Provider is a integration feature of pulse client that is used to pass the domain credentials which the user provided during the windows logon and use the same credentials to authenticate the VPN connection. https://docs.pulsesecure.net/WebHelp/Home.htm#PCS/PCS_AdminGuide_8.2/Credential Provider Authentication.htm?Highlight=credential provider I Hope it Helps you. Thanks, Ray. ... View more

Refer Administration Guide of PCS. Regards, Ray. ... View more

are the users connecting to the correct Sign-in URL? Check the configuration of SignIn URL ---> Realm ---> Authentication Servers (Mapped to your LDAP) Do a policy trace for that user & realm and post the logs. Refer this : https://docs.pulsesecure.net/WebHelp/Home.htm#PCS/PCS_AdminGuide_8.2/Using Policy Tracing.htm?Highlight=policy trace Thanks, Ray. ... View more

Also try this KB : https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40347 Regards, Ray. ... View more

Take a look at this KB : https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40228 Hope it helps. Regards, Ray. ... View more