ArubaOS and Controllers

Occasional Contributor II

802.1x - Local database filled with mac address user


Virtual ap with aaa profile to use 802.1x authentication and enforce machine authentication. EAP-TLS with both user and machine certificates.
Authentication against windows 2003 radius server.

The users connect fine and the system is working, but there is one thing I cannot understand.
Why is the local-user database on the aruba controller being filled with
mac-address users of the laptop connecting with machine authentication?

Is there any way to prevent it?

Under you can see an example.

(Aruba800) #
(Aruba800) #show local-userdb

User Summary
Name Password Role E-Mail Enabled Expiry Status Sponsor-Name Remote-IP Grantor-Name
---- -------- ---- ------ ------- ------ ------ ------------ --------- ------------
00:13:02:d1:7e:d3 ******** Ansatt-PC Yes 4/23/2010 4:35 Active

User Entries: 1

(Aruba800) # show us

IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ 00:13:02:d1:7e:d3 host/ Ansatt-PC 00:00:03 8021x-Machine AP65-1 Wireless Ansatt/00:0b:86:59:29:40/g aaa-ansatt tunnel

User Entries: 1/1

Ole M
Aruba Employee

Re: 802.1x - Local database filled with mac address user

When you enable machine authentication, the MAC address of each machine is placed into the local user db with the MAC address as the user name and password. There is a setting in the AAA profile that controls how long we cache that UID/PW. When the cache time expires, the UID is deleted from the db. If the user attempts to connect to the WLAN without machine authentication during the cache time (they come out of hibernate or sleep mode for instance), the local db will authenticate the machines address.
Occasional Contributor II

Re: 802.1x - Local database filled with mac address user

Thanks for your reply. :)
Guru Elite

Enforce machine authentication

It is when you enable "enforce machine authentication" checkbox in the 802.1x profile on the Aruba controller, to be exact. If you uncheck that, it will stop creating those local database entries.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Search Airheads
Showing results for 
Search instead for 
Did you mean: