Thanks a lot for this.
Here are my notes:
1) It's not said whether the open syslog port, if not blocked, will be vulnerable to DoS from any IP address, or whether it filters against the registered AP list; same may be worth mentioning for other services intended for APs.
2) Please use the full term "local proxy arp" rather than "proxy arp" everywhere where you mean that.
3) Aruba should also provide recommendations for best-of-breed password-based AAA. While password-based schemes
have their faults as adequately described, EAP-TLS and other exclusively-material-based schemes are weak in the two-factor department and EAP-TLS will be passed over in any environment where the flexibilities of a password-based scheme is valued. (The reality is of course that users will store either their AAA creds or their certificate password when the OS offers to. Meanwhile maybe if we all wish hard enough, more OS-native clients would start to support support specifying a client cert alongside an inner authentication method rather than making them mutually exclusive for no good reason.)
4) How the system operates with ip spoofing protection in the absence of also enabling enforce DHCP is not described, and
while I know this isn't going to go into every option because it isn't the manual, DHCP exhaustion protection is IMO a serious enough DoS threat to deserve mention.