Back to the future with this Airheads Online article from 2007
How do I integrate Wired and Wireless authentication?
How do I integrate with third party APs?
Believe it or not, they are pretty much the same question for an Aruba controller. The key lies in understanding what a "trusted" port is.
As you probably know, every user in an Aruba controller has a role attached to it. The reason why we have this role, indeed, the reason why we even create a user for the device is because we don't trust it. It's not really about trust though, it's about authorising the device to have access to various network resources- ie a firewall.
To put this a bit more clearly and simply, all _source_ IP addresses that enter the switch will become a new user, IF we don't trust the method by which the packets have arrived. So, the reason why we create users for the wireless traffic entering the switch is simply because internally, each and every GRE interface from Aruba APs is NOT trusted- hence we create a new user entry and assign a role for that user.
We do not normally "monitor" the traffic coming in from an ethernet port on a switch in the same way as we do from a GRE tunnel from an AP. Normally we will let all traffic flow through without any control. But what if we have 2 APs, one Aruba and one a third party AP and we want to manage authentication and authorisation in the same way across the two?
Well the answer is that if you plug the 3rd party AP into an Aruba port, you can change the behaviour of that port so that it will monitor traffic coming through and create users out of the source IP addresses coming in through that port. We do this simply by making a physical port "untrusted". Then when a new user comes in across that third party AP, it will send traffic upstream through the Aruba port and we will create a new user entry in our user table and authenticate the device.
As the user then roams between the Aruba AP and the third party AP, the controller keeps track of the user, provides L3 mobility services and also firewalling of this user based on their authentication, because the users traffic is comming in through an untrusted port.
So in short, if you want an Aruba controller to treat wired traffic exactly the same as it treats wireless traffic, then it's easy - just configure the port as not being trusted.