Controller Based WLANs

802.1x with machine and user auth

by ‎08-04-2015 05:40 PM - edited ‎08-04-2015 05:40 PM
Q:

What happens if a user passes machine authentication but fails user authentication when performing 802.1x?



A:

In AOS dot1x profile, we have an option to enforce machine authentication.

When enabled, we can be in more control of the devices that have passed/failed machine/user authentication.

Once a user has passed machine authentication, by default the client will fall under the role configured in "Machine Authentication: Default Machine Role" under dot1x profile.  

 

Below is an example which shows the client has passed only machine authentication but user authentication is not yet initiated. 

(Aruba3400) #show user-table

Users
-----
    IP             MAC            Name     Role      Age(d:h:m)  Auth        VPN link  AP name            Roaming   Essid/Bssid/Phy               Profile  Forward mode  Type  Host Name
----------    ------------       ------    ----      ----------  ----        --------  -------            -------   ---------------               -------  ------------  ----  ---------
10.17.169.92  3c:a9:f4:7f:84:54  test      guest     00:00:00    8021x-Machine            18:64:72:c6:d7:28  Wireless  akhil/18:64:72:ed:72:80/g-HT  akhil    tunnel  

 

There are scenarios where the clients will pass machine authentication, but for some reason will fail user authentication. In this scenario, clients will not be present in the user-table of the controller anymore. 

 

When a client fails user authentication irrespective of passing/failing machine authentication, controller will send a deauth to the client and remove the entry from the user-table.

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.