Security

No matter what I read I just can't seem to figure out how Machine Authentication works on a 802.1X setup.

How do the Aruba Wireless Controllers perform Machine Authentication? In my RADIUS server logs I can only ever see authentication attempts with DOMAIN\user as the user details, never the machines. I can't see the Wireless Controllers tied into Active Directory at all so the wireless controllers can't know which machines are in the domain or not.

The setup is Aruba Wireless Controllers going to a Windows 2008 NPS Server. In the NPS server policy we allow PEAP and authenticate based on User in All Domain Users or Machine in All Domain Machines. Machine Authentication is enabled on our wireless controllers.

What am I missing?

In the windows profile they are configured for "User or computer authentication".

Should I see a log message in the RADIUS server for a machine authentication as well if machine authentication was taking place?

To me, based on the logs, etc, the machines aren't doing machine authentication and are instead just accessing the network with the "Machine authentication default user role" configured. The real issue I'm having is, I can't get machines that are not in the Active Directory to connect to the wireless. That's why I'm trying to understand what part machine authentication plays because if I use a Domain User account to authenticate to the wireless I should be able to access it. When I untick the "Enable Machine Authentication" checkbox in the Wireless Controllers, none Domain machines are able to access the wireless.

When you're testing, are you either rebooting or logging out of the machine when making changes to the controller's AAA config?

Machine authentication only takes place at the login screen. So if you haven't rebooted or logged off, you'll be stuck in the default user role.