Product and Software: This article applies to all Aruba controllers and ArubaOS 3.x.0.
Most customers think that if they check the "Enforce machine authentication" option on the controller, then machine authentication is enforced for the client. However, this is not actually true.
The client still has the discretion to initiate machine authentication. Typically it refers the WZC option "Allow computer information to be sent when it is available" or group policy.
When the enforce option is enabled, ArubaOS remembers all clients that have passed machine authentication for last 24 hours. When a client passes user authentication, it is assigned either the user-default-role or the dot1x default-role, depending on if it passed machine authentication before.