With port- based authentication, the first device (MAC address) that becomes active on the port will do authentication. The returned authentication attributes (user-role, VLAN, DACL, etc) will be applied on the port and also for other devices that come on the port. You will use port-based for example if you want to authenticate and access-point, but don't want to authenticate the clients that are connected to that access point (as those are already authenticated by the access-point).
With user-based, each device will be individually authenticated. You can use this for example to authenticate an IP telephone (and return the voice-role or voice VLAN) and separately authenticate a PC that is connected behind the IP phone (and return the corporate role/VLAN for that PC).
Both will support multiple clients, just with user-based you have control/visibility on each client and you can even return different access role/VLAN to each of them, with port-based you just authenticate the first client and each further client will go 'invisible' on the port and have the same access as the authenticated first client.
If you want to limit the number of clients, you should pick user-based and set a limit. With port-based there will not be a limit as second and later clients are not even authenticated.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Aug 30, 2022 03:26 PM
From: Tony Antony
Subject: AAA authentication general question
I'm trying to understand the difference between port based and used authentication
https://techhub.hpe.com/eginfolib/networking/docs/switches/K-KA-KB/16-01/5200-0122_access_security_guide/content/ch19.html#:~:text=802.1X%20User%2DBased%20Access,by%20entering%20valid%20user%20credentials.
So user based can allow multiple clients while port based only allow single client. Is that the only difference?
So the user will only get access to LAN only if they enter their correct AD / RADIUS username and password, and if its incorrect, it denies access and doesn't get DHCP. Right?