New Contributor

"Enforce Machine Authentication" Clarification



I'm studying for ACMP, and reviewing the Advanced Security module.


I understand what machine authentication is, and how it works compared to user authentication.


But I don't get exactly what the option "Enforce Machine Authentication" is doing.


  • Does this mean the user won't be able to authenticate unless the machine is authenticated?
  • Is it the same as EAP Chaining?

EAP Chaining is doing machine + user authentication in the same EAP session, which requires that the supplicant can support EAP Chaining.


I would think that this option is different from EAP Chaining, in the sense that Windows machine would authenticate at bootup, and user will authenticate at logon.


Someone can clarify on this option?




Guru Elite

Re: "Enforce Machine Authentication" Clarification

New Contributor

Re: "Enforce Machine Authentication" Clarification

Thanks for quick reply.


I understand better now, this is all down to the role assigned, which will depend on the machine + user authentication status, as described here:

Machine Auth Status

User Auth Status


Role Assigned



Both machine authentication and user authentication failed. L2 authentication failed.

No role assigned. No access to the network allowed.



Machine authentication failed (for example, the machine information is not present on the server) and user authentication succeeded. Server-derived roles do not apply.

Machine authentication default user role configured in the 802.1X authentication profile.



Machine authentication succeeded and user authentication has not been initiated. Server-derived roles do not apply.

Machine authentication default machine role configured in the 802.1X authentication profile.



Both machine and user are successfully authenticated. If there are server-derived roles, the role assigned via the derivation take precedence. This is the only case where server-derived roles are applied.

A role derived from the authentication server takes precedence. Otherwise, the 802.1X authentication default role configured in the AAA profile is assigned.


I'm more familiar with Cisco, and this is really different from how they handle authentication.


The use of roles in Aruba architecture allows to much more flexibility !

Search Airheads
Showing results for 
Search instead for 
Did you mean: