Product and Software: This article applies to all Aruba controllers and ArubaOS 3.x and 2.x.
When you create a new user in the Active Directory, you must connect the user for the first time using the wired network so that the client gets network connectivity and the credentials reach Active Directory for authentication. Only after the user credentials have been cached, the system can have the user login in using wireless on subsequent attempts.
A new user has no cache, so the login fails.
To overcome this situation, you could implement machine authentication. The machine credentials are validated and the client is put in an 802.1x machine role, which gives the user access to the network for him to login with a new credential. When you implement machine authentication, you must terminate the dot1x tunnel on the authentication server. You also need the necessary server certificates on the IAS server. (EAP termination does not support machine authentication.)