802.1x with machine and user auth


What happens if a user passes machine authentication but fails user authentication when performing 802.1x?


In AOS dot1x profile, we have an option to enforce machine authentication.

When enabled, we can be in more control of the devices that have passed/failed machine/user authentication.

Once a user has passed machine authentication, by default the client will fall under the role configured in "Machine Authentication: Default Machine Role" under dot1x profile.  


Below is an example which shows the client has passed only machine authentication but user authentication is not yet initiated. 

(Aruba3400) #show user-table

    IP             MAC            Name     Role      Age(d:h:m)  Auth        VPN link  AP name            Roaming   Essid/Bssid/Phy               Profile  Forward mode  Type  Host Name
----------    ------------       ------    ----      ----------  ----        --------  -------            -------   ---------------               -------  ------------  ----  ---------  3c:a9:f4:7f:84:54  test      guest     00:00:00    8021x-Machine            18:64:72:c6:d7:28  Wireless  akhil/18:64:72:ed:72:80/g-HT  akhil    tunnel  


There are scenarios where the clients will pass machine authentication, but for some reason will fail user authentication. In this scenario, clients will not be present in the user-table of the controller anymore. 


When a client fails user authentication irrespective of passing/failing machine authentication, controller will send a deauth to the client and remove the entry from the user-table.


Version history
Revision #:
2 of 2
Last update:
‎08-04-2015 05:40 PM
Updated by:
Labels (1)