KB40452 - Group search fails for Active Directory Server on Pulse Connect Secure (PCS) running version 8.2R5 and above and Pulse Policy Secure (PPS) running version 5.3R5 and above.

This article describes an issue where group search fails for Active Directory Server on Pulse Connect Secure (PCS) running version 8.1R10 and above, 8.2R5 and above, 8.3R1 and above or Pulse Policy Secure (PPS) running version 5.3R5 and above. This does not affect Legacy Active Directory mode.

After upgrading to PCS 8.1R10 and above, 8.2R5 and above, 8.3R1 and above or PPS OS 5.3R5 and above, role mapping using group membership fails due to domain groups not being retrieved by PCS/PPS device.

This issue occurs due to a samba bug which was introduced where large LDAP searches using SASL wrapping stopped working. Samba version 4.4.2 (used in PCS 8.1R12, 8.2R5, 8.3R1 and above / PPS 5.3R5 and above) is affected by this bug.

Pulse Connect Secure versions affected:

• 8.1R10 - 8.1R11
• 8.2R5 - 8.2R7
• 8.3R1

Pulse Policy Secure versions affected:

• 5.3R5 - 5.3R7

For more information, refer to https://bugzilla.samba.org/show_bug.cgi?id=11872.

Pulse Connect Secure 8.1R12, 8.2R8.0 and 8.3R3 software and Pulse Policy Secure 5.3R8 are now available for download on Pulse Secure Licensing and Download Center.

This issue is resolved in the following versions:

• Pulse Connect Secure 8.1R12 and above
• Pulse Connect Secure 8.2R8 and above
• Pulse Connect Secure 8.3R3 and above
• Pulse Policy Secure 5.3R8 and above

If a root cause analysis is required, please gather the following logs:

1. Enable Debug Logs with Event code as AAA in log level 30 (prior to the replication)
2. Enable TCPDump (prior to the replication)
3. Once the issue is replicated, system snapshot and ensure the checkbox is enabled for Included Debuglog and system config
4. Under Log/Monitoring, click Save All Logs (This includes Event Access, User Access and Admin Access Logs).

Once the logs are gathered, please open a support case at https://my.pulsesecure.net.