Product and Software: This article applies to all Aruba controllers and ArubaOS versions.
For NAT, nothing is done per-user, only per-session.
In ArubaOS 2.x, every session with a Layer 4 address (TCP port, UDP port, ICMP seq, GRE call-id) uses the first IP address in the pool, and the source Layer 4 address is modified to avoid collisions. Protocols without Layer 4 ports use the first available IP address in the pool.
In ArubaOS 3.x, every session with a Layer 4 address tries to use an IP address in the pool that allows the original source Layer 4 address to be preserved. If this is not possible, the first IP address is used and the source Layer 4 port is modified. Protocols without Layer 4 ports use the first available IP address in pool.
So, in ArubaOS 3.x, a single user is mapped to multiple addresses if there is a collision, that is, if another user is speaking to the same server using the same source port. The probability of this happening is quite low.