There maybe instances when it would be required to validate if a client is under "Deauth Attack" from external source which spoofs Aruba AP's MAC address. This article outlines the procedure to validate such attack. With a test client connecting to Aruba SSID; it would be noticed that the client keep reassociating with excessive association attempts (highlighted).
(003-aruba01) #show ap association | include da:94
TAC-Lab82:47 d8:c7:c8:e8:24:78 60:67:20:df:da:94 y y 1 100 Aruba_Welcome 900 0x10043 a-HT-40sgi-2ss 0s 4 WAB
(003-aruba01) #show ap association | include da:94
TAC-Lab82:47 d8:c7:c8:e8:24:78 60:67:20:df:da:94 y y 1 100 Aruba_Welcome 900 0x10043 a-HT-40sgi-2ss 0s 20 WAB
(003-aruba01) #show ap association | include da:94
TAC-Lab82:47 d8:c7:c8:e8:24:78 60:67:20:df:da:94 y y 1 100 Aruba_Welcome 900 0x10043 a-HT-40sgi-2ss 0s 6 WAB
By using show ap remote debug mgmt-frames ap-name; management frames between AP & client can be viewed. It would be noticed that there are no deauths from AP but client makes continuous connection attempts.
(Aruba-TAC) #show ap remote debug mgmt-frames ap-name TAC-LAB82:47 | include df:da:94
Nov 7 11:39:38 assoc-resp d8:c7:c8:e8:24:78 60:67:20:df:da:94 d8:c7:c8:e8:24:78 15 Success
Nov 7 11:39:38 assoc-req 60:67:20:df:da:94 d8:c7:c8:e8:24:78 d8:c7:c8:e8:24:78 39 -
Nov 7 11:39:38 auth d8:c7:c8:e8:24:78 60:67:20:df:da:94 d8:c7:c8:e8:24:78 15 Success
Nov 7 11:39:38 auth 60:67:20:df:da:94 d8:c7:c8:e8:24:78 d8:c7:c8:e8:24:78 60 -
Nov 7 11:39:38 assoc-resp d8:c7:c8:e8:24:78 60:67:20:df:da:94 d8:c7:c8:e8:24:78 15 Success
Nov 7 11:39:38 assoc-req 60:67:20:df:da:94 d8:c7:c8:e8:24:78 d8:c7:c8:e8:24:78 40 -
Nov 7 11:39:38 auth d8:c7:c8:e8:24:78 60:67:20:df:da:94 d8:c7:c8:e8:24:78 15 Success
Nov 7 11:39:38 auth 60:67:20:df:da:94 d8:c7:c8:e8:24:78 d8:c7:c8:e8:24:78 60 -
Nov 7 11:39:37 assoc-resp d8:c7:c8:e8:24:78 60:67:20:df:da:94 d8:c7:c8:e8:24:78 15 Success
Nov 7 11:39:37 assoc-req 60:67:20:df:da:94 d8:c7:c8:e8:24:78 d8:c7:c8:e8:24:78 40 -
Nov 7 11:39:37 auth d8:c7:c8:e8:24:78 60:67:20:df:da:94 d8:c7:c8:e8:24:78 15 Success
Nov 7 11:39:37 auth 60:67:20:df:da:94 d8:c7:c8:e8:24:78 d8:c7:c8:e8:24:78 60 -
Nov 7 11:39:37 assoc-resp d8:c7:c8:e8:24:78 60:67:20:df:da:94 d8:c7:c8:e8:24:78 15 Success
Nov 7 11:39:37 assoc-req 60:67:20:df:da:94 d8:c7:c8:e8:24:78 d8:c7:c8:e8:24:78 38 -
Nov 7 11:39:37 auth d8:c7:c8:e8:24:78 60:67:20:df:da:94 d8:c7:c8:e8:24:78 15 Success
Nov 7 11:39:37 auth 60:67:20:df:da:94 d8:c7:c8:e8:24:78 d8:c7:c8:e8:24:78 60 -
Nov 7 11:39:37 assoc-resp d8:c7:c8:e8:24:78 60:67:20:df:da:94 d8:c7:c8:e8:24:78 15 Success
Nov 7 11:39:37 assoc-req 60:67:20:df:da:94 d8:c7:c8:e8:24:78 d8:c7:c8:e8:24:78 39 -
Nov 7 11:39:37 auth d8:c7:c8:e8:24:78 60:67:20:df:da:94 d8:c7:c8:e8:24:78 15 Success
Nov 7 11:39:37 auth 60:67:20:df:da:94 d8:c7:c8:e8:24:78 d8:c7:c8:e8:24:78 60 -
Nov 7 11:39:37 assoc-resp d8:c7:c8:e8:24:78 60:67:20:df:da:94 d8:c7:c8:e8:24:78 15 Success
Nov 7 11:39:37 assoc-req 60:67:20:df:da:94 d8:c7:c8:e8:24:78 d8:c7:c8:e8:24:78 37 -
Nov 7 11:39:37 auth d8:c7:c8:e8:24:78 60:67:20:df:da:94 d8:c7:c8:e8:24:78 15 Success
Nov 7 11:39:37 auth 60:67:20:df:da:94 d8:c7:c8:e8:24:78 d8:c7:c8:e8:24:78 60 -
Nov 7 11:39:36 assoc-resp d8:c7:c8:e8:24:78 60:67:20:df:da:94 d8:c7:c8:e8:24:78 15 Success
Nov 7 11:39:36 assoc-req 60:67:20:df:da:94 d8:c7:c8:e8:24:78 d8:c7:c8:e8:24:78 37 -
Nov 7 11:39:36 auth d8:c7:c8:e8:24:78 60:67:20:df:da:94 d8:c7:c8:e8:24:78 15 Success
Nov 7 11:39:36 auth 60:67:20:df:da:94 d8:c7:c8:e8:24:78 d8:c7:c8:e8:24:78 60 -
Nov 7 11:39:36 assoc-resp d8:c7:c8:e8:24:78 60:67:20:df:da:94 d8:c7:c8:e8:24:78 15 Success
Nov 7 11:39:36 assoc-req 60:67:20:df:da:94 d8:c7:c8:e8:24:78 d8:c7:c8:e8:24:78 38 -
Nov 7 11:39:36 auth d8:c7:c8:e8:24:78 60:67:20:df:da:94 d8:c7:c8:e8:24:78 15 Success
Nov 7 11:39:36 auth 60:67:20:df:da:94 d8:c7:c8:e8:24:78 d8:c7:c8:e8:24:78 60 -
Nov 7 11:39:35 assoc-resp d8:c7:c8:e8:24:78 60:67:20:df:da:94 d8:c7:c8:e8:24:78 15 Success
Nov 7 11:39:35 assoc-req 60:67:20:df:da:94 d8:c7:c8:e8:24:78 d8:c7:c8:e8:24:78 39 -
Nov 7 11:39:35 auth d8:c7:c8:e8:24:78 60:67:20:df:da:94 d8:c7:c8:e8:24:78 15 Success
Nov 7 11:39:35 auth 60:67:20:df:da:94 d8:c7:c8:e8:24:78 d8:c7:c8:e8:24:78 60 -
Nov 7 11:39:35 assoc-resp d8:c7:c8:e8:24:78 60:67:20:df:da:94 d8:c7:c8:e8:24:78 15 Success
Nov 7 11:39:35 assoc-req 60:67:20:df:da:94 d8:c7:c8:e8:24:78 d8:c7:c8:e8:24:78 36 -
Nov 7 11:39:35 auth d8:c7:c8:e8:24:78 60:67:20:df:da:94 d8:c7:c8:e8:24:78 15 Success
Nov 7 11:39:35 auth 60:67:20:df:da:94 d8:c7:c8:e8:24:78 d8:c7:c8:e8:24:78 60 -
Nov 7 11:39:35 assoc-resp d8:c7:c8:e8:24:78 60:67:20:df:da:94 d8:c7:c8:e8:24:78 15 Success
Nov 7 11:39:35 assoc-req 60:67:20:df:da:94 d8:c7:c8:e8:24:78 d8:c7:c8:e8:24:78 36 -
Nov 7 11:39:35 auth d8:c7:c8:e8:24:78 60:67:20:df:da:94 d8:c7:c8:e8:24:78 15 Success
Nov 7 11:39:35 auth 60:67:20:df:da:94 d8:c7:c8:e8:24:78 d8:c7:c8:e8:24:78 60 -
Nov 7 11:39:34 assoc-resp d8:c7:c8:e8:24:78 60:67:20:df:da:94 d8:c7:c8:e8:24:78 15 Success
Nov 7 11:39:34 assoc-req 60:67:20:df:da:94 d8:c7:c8:e8:24:78 d8:c7:c8:e8:24:78 34 -
Nov 7 11:39:34 auth d8:c7:c8:e8:24:78 60:67:20:df:da:94 d8:c7:c8:e8:24:78 15 Success
Nov 7 11:39:34 auth 60:67:20:df:da:94 d8:c7:c8:e8:24:78 d8:c7:c8:e8:24:78 60 -
If Over-the-Air capture corresponding to the command shows Deauth frames from AP to the test client; then it would confirm that the client is under Deauth Attack from external source.