Security

we currently have a wireless network from another vendor and i am trying to figure out how to set up our Aruba controller to function in the same way.

the existing network uses EAP-TLS and machine certificates to verify machines with external RADIUS.  with the machine verified, it has full access to the network and the user logs in and authenticates against AD exactly as if they were on a wired connection.  

how would i set this up on the Aruba controller?  do i need to check the box to force machine authentication or is that already inherit from the underlying EAP-TLS?  or, is that option only used when the controller is the EAP termination point?  

if i do neet to force machine authentication and select machine and user roles how shoudl i approach that?  i don't see any way to disable user authentication and just let the client authenticate against AD like our other wireless and wired clients.  does the controller have to be involved during user authentication?

i've been reading everything i can find on this site but still don't really understand all the settings and relationships.  also, i've read enough to know that EAP-TLS seems to be discouraged so i'll just state now that TLS is a requirement and that policy is not going to change.  the network has a high security posture and there is no situation where a person would ever be allowed to connect anything other than an official domain client to the network.  the wireless is also a convinience network with clients mainly utilizing the wire so cert distribution is not an issue.

Are you wanting to JUST authenticate the machine and not the user or use different roles based on whether the machine or user has passed authentication? You can certainly assign two different roles based on which authentication is passed.

Which are you wanting to do?

If you simply want the machine to authenticate upon boot up (using TLS or otherwise), there is no special configuration on the Aruba configuration.   Whether this is allowed or not is a function of the RADIUS server and its configured policies (as well as the client configuration to attempt the computer authentication).   The "enforce machine authentication" settings are used for something different and it has no bearing on whether the controller is the termination point, in fact, if you are doing machine authentication, the controller cannot be the termination point.  It is used if you wanted to setup different roles for the following scenarios...   

1. Computer authenticated, but not the user (for example, upon boot up)
2. Computer fails, but user is successful (non-domain machines, etc.)
3. Computer and the user are successful

By the way, I encourage EAP-TLS where possible.   Certificates get a bad rap in my mind.

i am looking to JUST authenticate the machine.  i think clembo's response is what i was looking for.

if i understand correctly, in it's most basic implementation i would NOT check the machine authentication box and the underlying RADIUS/supplicant EAP-TLS would handle the machine authentication. then, under the AAA profile i would just choose something like initial role=logon, 802.1x authentication default role=authenticated.

at this point the machine would be on the WLAN and the user should be able to authenticate against AD from the windows logon screen.

Your assumptions are correct.   This is also assuming you have the client supplicant side setup to support machine authentication as well.