KB40111 - Pulse Secure Linux client does not support multiple authentication servers

« Go Back

Information

Last Modified Date	4/20/2017 2:56 PM

Synopsis

Problem or Goal

When a Pulse Secure Linux user attempts to authenticated to the PCS device, the following error message will appear (in the ncsvc.log):

20160211161145.85091 ncsvc[p3058.t3058] dsclient.info <-- 302 
https://XXX.XX.XX.XXX/dana-na/auth/url_default/welcome.cgi?p=failed&auth=2 
(authenticate.cpp:213)
20160211161145.85155 ncsvc[p3058.t3058] dsclient.error state login failed, 
error 104 (dsclient.cpp:353)
20160211161145.85332 ncsvc[p3058.t3058] ncapp.error Failed to authenticate 
with IVE. Error 104 (ncsvc.cpp:253)

The error message highlighted above in 'red' indicates that a secondary authentication server is configured on the sign-in realm.

Cause

This issue occurs due to the limited support of MFA during the initial release of Pulse Secure Linux client.

Solution

To resolve this issue, upgrade the Pulse Secure Linux client to 8.2R4 and above. The following list of multi-factor authentication (MFA) vendor has been qualified by Pulse Secure with the 8.2R4 release:

RSA (software token and hardware token)
Duo Security
Safenet

With the additional support of Pulse Secure Linux UI, authentication will be performed by a web browser. While other MFA vendor are not listed, we expect other MFA vendor performing authentication via a web browser will work as well.

Note: Multi-factor authentication will only work using the Pulse UI. This feature remains unsupported for the CLI.

Workaround:

If upgrading the Pulse Secure Linux is not possible, create a separate sign-in policy for Linux users that has a sign-in realm configured with one authentication/authorization server only.

Related Articles

KB40111 - Pulse Secure Linux client does not support multiple authentication servers

Information

Workaround:

Feedback

Was this article helpful?