Problem
Users are not able to login to PulseSecure VPN when authentication server is changed in the user Realm. The issue is caused by role mapping to the new server, it works with the old server since the users are mapped and new server does not have the those mappings.
Users will get the following error messages below
“You are not allowed to sign in. Please contact your administrator”
The issue is not Cleary defined in the PulseSecure KB article and is little confusing and id not easy to follow the directions on the KB article. it does not explain on how ot refresh/maps the roles again with the new authentication server.
Refer to the article for more details.
Solution
Here are the steps that you need to take when you change the authentication server. Once you are in the “Authentication Server” page choose the new authentication server – see example below
Make sure you can authenticate using the “Test Connection” and it should come back as successful
Now that your new authentication server is setup, you can add it to the main user realm for the users, this will cause down time while you are switching the server to the new authentication server
Go the User Realm and select the Realm where you have added the new authentication server.
Go to Role Mapping and create a new rule for the that user Realm.
Choose the rule based on AD groups “Group membership” and click on update which then gives you the option to click on “Groups”
Click on “Groups”
You will then see older groups and you can then search for the groups that you need to map and click on “Add Group”
This will add the Group to the new rule that you created and should now be mapped to the new authentication server.
Thanks for reading this and I hope it has helped you resolved the issue.
