How does machine authentication work on the Aruba controller?

By Arunkumar posted Jul 09, 2014 02:31 PM


Product and Software: This article applies to all Aruba controllers and ArubaOS versions.


1) A laptop normally boots and the user has to wait for at least 30 seconds before logging in. This delay allows the laptop enough time to search the wireless network and perform machine authentication.


2) The laptop attempts the 802.1x with client machine certificate (for EAP-TLS) or uses A/D computer account and SID as password (for PEAP/MSChapv2).


3) If the 802.1x authentication is successful, the controller keeps the client MAC address in the local-userdb as cached evidence that a good machine authentication has occurred. This client MAC address is kept for a certain amount of time, which is based on the "caching period". Also if there is already a record, the lifetime is extended. (Step 6 and 7 explain why the cache is kept instead of looking into user-table.)


4) After some random time, the user logs into the laptop. User login usually triggers Windows WZC to switch user-id and attempt another 802.1x authentication while it is using user account this time. This is known as user authentication.


5) The Aruba controller sees a successful user authentication, with "enforce machine authentication", and it also queries the local-userdb for the machine authentication history. If a record is cached, this client device has done "mach+user". Otherwise, it is only a user authentication.


6) After the user has logged in, Windows never attempts another machine authentication. When the user logs out, Windows can attempt it. For WPA-TKIP, a full 802.1x user authentication is attempted only on every roaming among the AP.


7) Similarly, if the user's laptop has gone into sleep mode with user logged in, Windows does not attempt another machine authentication. If the laptop has been in sleep mode for 1 hour or so, the user-table normally clears the user record. When the user begins to use the laptop again, only a user authentication is attempted (because the user has not logged out). The user authentication relies on the cache of client MAC addresses in local-userdb.



Jan 30, 2018 10:35 PM

How do you handle when the MAC addresses in local-userdb for the client expires before the user logs off and the machine reauths?


We are having issues where the users laptops wont re-connect to the wireless network because the user hasn't logged out in forever and the entry in the local-userdb has aged out. I know we can adjust the local-userdb's cache but is there any other way to make a machine auth while the user is logged in?

May 24, 2015 06:40 PM

It's all triggered on the client. You may want to watch as they authenticate.

Mac OS X does not support machine authentication out of the box but if you Google around, there are some guides on how to make it work.


May 24, 2015 06:28 PM

Thank you for this. It gives me an idea of what goes on during authentication. I'm VERY new to your system and 802.1x in general so I would probably need a few more read throughs to get the concept


Currently we have Aruba 6.3.x and it looks like our machine authentication is not kicking in, or is pretty sporadic. Basically we have a policy that requires machine, user, and AD authentication for the client to be put in the staff vlan. User and AD authentication kicks in but machine auth is hit or miss (win 7 laptop). First off, is there a setting in ClearPass that i missed? Second, how do OSX machines do machine auth? 

Apr 29, 2015 02:11 AM



In addition to above doubts who would initiate session.Like on a switch(Authenticator) for wired users ports are configured for dot1 x authentication so switch initiates dot1x session when port comes up.

How does dot1x session initiates for wireless users? Is it when machine tries to connect on WLAN profile before user is logged in the controller initiates dot1x session and then machine authentication happens.

Second when machine authentication has happened what/who makes dot1x session to initiate for user authentication


I am trying to understand how does laptop know if it has to do machine and user authentication.




Apr 29, 2015 01:34 AM

Hi Arun

This is one  very good article..I appreciate your explanation. I have query on this:


1. Once endpoint(laptop) boots up Machine authentication happens.

2. Once user logs in, user authenitcation happens by triggering Windows WZC to switch user-id and attempt 802.1x auth with user credentials.

3. As per roles defined on controller for Virtual profile those roles apply depending upon if user /and machine auth was successful.



1. Is this default behaviour in Windows 7 where it does Machine authentication on boot up and then automatically does user authentication.

2. What if WLAN on Windows is set for only user authentication?

3. What excatly  "ënforce Machine authentication" do and what if supplicant is attempting only user authentication as in step 2 and controller enforces Machine authentication for that WLAN?

4. Authentication server and supplicant only need to match EAP method?




Sep 18, 2014 03:03 PM

Hi Yogendran,


Client would get the ip address once done m-auth request and response done with the controller which can be viewed by the command "show auth-tracebuf mac <mac address of the client>.


Enable the user--debug by logging level debugging user-debug <mac address of the client>  before running the show auth-tracebuf command output.


Thank you


Sep 17, 2014 06:36 AM

Please advice at what point, the client will pick a IP-address?