Multiple Host Single Authentication

Multiple Host Single Authentication (MHSA) allows MACs to access the network without EAP and NEAP authentication. Unauthenticated devices can access the network only after an EAP or NEAP client is successfully authenticated on a port. The VLAN to which the devices are allowed is the client authenticated VLAN. Unless Guest VLAN is configured, there is no authenticated client on the port, and no MAC is allowed to access the network.

MHSA is primarily intended to accommodate printers and other passive devices sharing a hub with EAP and NEAP clients.

MHSA support is on a port-by-port basis for EAP enabled ports.

MHSA supports the following functionality:
  • The port remains unauthorized when no authenticated hosts exist on the port. Before the first successful authentication occurs, both EAP and NEAP clients are allowed to negotiate access on that port but only one host is allowed to perform authentication.

  • In MHSA mode, QoS level is configured when processing the Port-Priority attribute, because there can only be one authenticated client. The devices behind the authenticated client use the port priority established by the main client.

  • In MHSA mode, the Guest VLAN applies only when no authenticated client is present on the port.

  • After the first EAP or NEAP client successfully authenticates on a port, other clients cannot negotiate authentication on that port.

  • After the first successful authentication, MACs that are already learned on that port is flushed.

  • NEAP clients are not removed at age event in MHSA mode.

  • There is no limit to the number of MACs that are allowed after first successful authentication.