How does machine authentication work on the Aruba controller?
Product and Software: This article applies to all Aruba controllers and ArubaOS versions.
1) A laptop normally boots and the user has to wait for at least 30 seconds before logging in. This delay allows the laptop enough time to search the wireless network and perform machine authentication.
2) The laptop attempts the 802.1x with client machine certificate (for EAP-TLS) or uses A/D computer account and SID as password (for PEAP/MSChapv2).
3) If the 802.1x authentication is successful, the controller keeps the client MAC address in the local-userdb as cached evidence that a good machine authentication has occurred. This client MAC address is kept for a certain amount of time, which is based on the "caching period". Also if there is already a record, the lifetime is extended. (Step 6 and 7 explain why the cache is kept instead of looking into user-table.)
4) After some random time, the user logs into the laptop. User login usually triggers Windows WZC to switch user-id and attempt another 802.1x authentication while it is using user account this time. This is known as user authentication.
5) The Aruba controller sees a successful user authentication, with "enforce machine authentication", and it also queries the local-userdb for the machine authentication history. If a record is cached, this client device has done "mach+user". Otherwise, it is only a user authentication.
6) After the user has logged in, Windows never attempts another machine authentication. When the user logs out, Windows can attempt it. For WPA-TKIP, a full 802.1x user authentication is attempted only on every roaming among the AP.
7) Similarly, if the user's laptop has gone into sleep mode with user logged in, Windows does not attempt another machine authentication. If the laptop has been in sleep mode for 1 hour or so, the user-table normally clears the user record. When the user begins to use the laptop again, only a user authentication is attempted (because the user has not logged out). The user authentication relies on the cache of client MAC addresses in local-userdb.