Security

Controller OS: 6.4.2.4

Right now our 802.1x auth has enforce machine auth enabled.  However, I think this might cause us issues in the future.  I would like to still have my byod devices like iphones/ipads be able to place the user into the proper role I have mapped in the Radius server group.  The roles would still look for domain computers and properly authenticate them.  

Would there be an issue with unchecking enforce machine auth?  Right now the 802.1x auth default role is authenticated.  The machine auth: default machine role is domain computer and user role I have is a BYOD role.  I would still map our students to BYOD, but I have apps on my non domain devices that I can get to internal resources to troubleshoot issues such as SSH.  

Also, we are starting to implement enterprise printers using wifi that only faculty and staff can connect and print to.  These use peap auth and I setup a test aaa-profile with enforce machine auth off and it worked properly.

I just want to make sure there are no side effects with disabling this option.  We are also not using ClearPass.  Current auth is done by Windows NPS.

Thanks in advance.

When you enable "enforce machine authentication on the Aruba Controller"

- Devices do not leverage Radius Attributes unless they pass BOTH machine and user authentication

- Machine Authentication does not work when IAS or NPS is the radius server (this is only a problem with NPS and IAS)

Enforce Machine authentication on the Aruba controller is a workaround for when you do not have a full-featured radius server like Clearpass that can check multiple attributes to return a role, vlan or radius attribute.  It offers limited flexibility for devices that do not pass both user and machine authentication.  ClearPass Policy Manager should be used in those situations.

Thank you that clarified this issue.