We have 2 virtual-ap's:
- One public SSID with captive portal and mac authentication. The mac addresses that have been added to the internal database bypass the captive portal and go straight to Internet. Unknown mac addresses get the captive portal and require a login.
- One corporate SSID with 802.1x client and machine authentication enforced where only valid domain computers and users are allowed.
We noticed that client mac addresses added in the internal database for the public SSID get full rights to the corporate SSID after authenticating with username and password.
I believe I found the explanation: Aruba will store mac adresses that have machine authenticated in the internal DB for 24 hours. The AAA profile will see a valid user authentication and a valid MAC address in the database, so it will give full rights to that device. However the machine authentication on these devices never took place...
How can we solve this ? You cannot create a second internal DB. Changing the "MAC Authentication Server Group" in the AAA profile does not work. Any ideas?