Reset Search
 

 

Article

KB41065 - User is getting disconnected after policy reevaluation if TOTP or RSA is configured as a secondary authentication server.

« Go Back

Information

 
Last Modified Date11/18/2017 2:44 AM
Synopsis
This article describes an issue with Pulse Connect Secure device closing the user session after policy reevaluation if TOTP or RSA is configured as a secondary authentication server.
Problem or Goal
If TOTP or RSA is configured as a secondary authentication server, the user session may disconnect after Host Checker or Dynamic Policy reevaluation occurs

The following entries will appear in the policy trace:
info - Root::testdomain\user1(Test-Realm)[] - 2017/10/09 13:58:17 - 
Password realm restrictions failed for testdomain\user1/Test-Realm
info - Root::testdomain\user1(Test-Realm)[] - 2017/10/09 13:58:17 - 
Realm restriction failed with Password Restriction
info - Root::testdomain\user1(Test-Realm)[] - 2017/10/09 13:58:17 - 
User testdomain\user1 rejected during policy reevaluation.  
Reason: Unable to pass realm restrictions
info - Root::testdomain\user1(Test-Realm)[] - 2017/10/09 13:58:17 - 
User does not pass during policy reevaluation, removing user session
Cause
The issue occurs if all conditions are met: 
  • Secondary authentication server is changed from LDAP, AD, System Local or Radius to TOTP or RSA in an existing user realm
  • Secondary password restriction for the previously applied LDAP, AD, System Local or Radius server was set to a minimum 7 characters or more
In the following scenario, the Pulse Connect Secure device will remain applying the previous password restriction. If the one-time password (OTP) is less than the number of characters set in the previous password restriction policy, this will cause password restriction policy to fail.

This issue is not applicable to new user realm configured with TOTP or RSA configuration as a secondary authentication.
 
Solution
Pulse Secure is currently working on a permanent fix. We apologize for the inconvenience this issue may have caused.

Workaround:

  1. Login to admin console.
  2. Navigate to Users > User Realms, select the desired realm
  3. Change the secondary authentication server to System Local
  4. Click Save Changes. This change will show the Password restriction field for secondary authentication server under the Realm.
  5. Under User Realms, navigate to Authentication Policy > Password
  6. Under Options for additional authentication server, select Allow All users (password of any length)
  7. Click Save Changes
  8. Navigate to General tab
  9. Change the Secondary authentication back to TOTP or RSA
  10. Click Save Changes
After doing the above change, the policy reevaluation will not fail due to Password Restriction for TOTP and RSA server.
 
Related Links
Attachment 1 
Created ByKshitij Gupta

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255