Multi-Host Single Authentication

Version 33.1 adds the Multi-Host Single Authentication (MHSA) feature that allows a single authenticated device to authorize all other devices connected through it, without requiring each one to authenticate individually.

When an AP authenticates to a switch port using RADIUS and the MHSA VSA is included in the RADIUS response, the switch automatically enables authentication override on the dynamically created policy profile. This means any additional hosts connected through the AP can access the network without separate authentication. Once the last authenticated user disconnects, the override is removed and the profile is deleted.

This behavior mirrors functionality previously available in Switch Engine, where a policy profile could be configured to allow multi-host access after the first successful authentication.

VSA Format

Only an integer value of 1 is supported.

Example

In this example:

If the profile myprofile does not already exist on the switch, it will be dynamically created using the downloadable ACL flags (t:a,rc).
Because the MHSA VSA is present (Extreme-Dyn-MHSA = "1"), the profile will be created with authentication override enabled.

Extreme-Policy-ACL += "v:1 t:a,rc m:ipv4dst=28.0.0.1/32,ipproto=udp,l4srcport=102-103,l4dstport=201-250 a:fwd,sys ",
Extreme-Policy-ACL += "v:1 t:a,rc m:ipproto=icmp a:fwd,sys ",
Extreme-Policy-ACL += "v:1 t:a,rc m:any a:drop,sys ",
Extreme-Dyn-MHSA = "1",
Filter-Id = "Enterasys:version=1:mgmt=rw:policy=myprofile"

The authentication override setting is locked at the time the profile is created.
If the first user authenticates without the MHSA VSA, then subsequent users cannot enable it, even if their entries include the VSA.
To avoid conflicts, all users authenticating to the same profile should consistently include or exclude the MHSA VSA.