Q: What happens if a user passes machine authentication but fails user authentication when performing 802.1x?
A: In AOS dot1x profile, we have an option to enforce machine authentication.
When enabled, we can be in more control of the devices that have passed/failed machine/user authentication.
Once a user has passed machine authentication, by default the client will fall under the role configured in "Machine Authentication: Default Machine Role" under dot1x profile.
Below is an example which shows the client has passed only machine authentication but user authentication is not yet initiated.
(Aruba3400) #show user-table
Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- ---------
10.17.169.92 3c:a9:f4:7f:84:54 test guest 00:00:00 8021x-Machine 18:64:72:c6:d7:28 Wireless akhil/18:64:72:ed:72:80/g-HT akhil tunnel
There are scenarios where the clients will pass machine authentication, but for some reason will fail user authentication. In this scenario, clients will not be present in the user-table of the controller anymore.
When a client fails user authentication irrespective of passing/failing machine authentication, controller will send a deauth to the client and remove the entry from the user-table.
