we currently have a wireless network from another vendor and i am trying to figure out how to set up our Aruba controller to function in the same way.
the existing network uses EAP-TLS and machine certificates to verify machines with external RADIUS. with the machine verified, it has full access to the network and the user logs in and authenticates against AD exactly as if they were on a wired connection.
how would i set this up on the Aruba controller? do i need to check the box to force machine authentication or is that already inherit from the underlying EAP-TLS? or, is that option only used when the controller is the EAP termination point?
if i do neet to force machine authentication and select machine and user roles how shoudl i approach that? i don't see any way to disable user authentication and just let the client authenticate against AD like our other wireless and wired clients. does the controller have to be involved during user authentication?
i've been reading everything i can find on this site but still don't really understand all the settings and relationships. also, i've read enough to know that EAP-TLS seems to be discouraged so i'll just state now that TLS is a requirement and that policy is not going to change. the network has a high security posture and there is no situation where a person would ever be allowed to connect anything other than an official domain client to the network. the wireless is also a convinience network with clients mainly utilizing the wire so cert distribution is not an issue.