Skip to content
Click here to open the documentation of locally-managed switches, including the CLI and API guides.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=switch-management-security

Security

You can configure security settings for Sophos Switch, such as DoS protection, 802.1X authentication, port security, and add and remove RADIUS and TACACS+ servers.

DoS

Sophos Switch can monitor and block denial-of-service (DoS) attacks. A DoS attack is network traffic intended to overwhelm a host and disrupt its connection to the network.

Select On or Off to turn DoS protection on or off. Select Not set to use the settings configured locally on the switch.

After turning DoS on or off, click Update to save your changes.

When you turn on DoS, the switch drops packets that match the following types of DoS attacks:

  • Destination MAC equal to Source MAC: Drops traffic where the source and destination MAC addresses are the same.
  • LAND Attacks Destination IP equal to Source IP (IPv4/IPv6): Drops packets where the source and destination IP addresses are the same.

  • TCP Blat (Destination TCP Port equal to Source TCP Port): Drops TCP packets where the source TCP and destination TCP ports are the same.

    Note

    The Network Time Protocol (NTP) client sometimes uses the same source and destination port. When you turn on DoS protection, Sophos Switch detects it as a TCP Blat attack and drops the packets. We recommend turning off DoS protection if you're running older NTP clients that use the same source and destination ports.

  • UDP Blat (Destination UDP Port equal to Source UDP Port): Drops UDP packets where the source UDP and destination UDP ports are the same.

  • Ping of Death (IPv4/IPv6): Drops packets with a length larger than 64K Bytes through fragments.
  • IPv6 Minimum Fragment (Bytes): Limits the minimum size of IPv6 fragments to 1240 Bytes.
  • ICMP Fragments (IPv4/IPv6): Drops fragmented ICMP packets.
  • IPv4 Ping Max Size: Limits the maximum length of an IPv4 ping packet to 512 bytes.
  • IPv6 Ping Max Size: Limits the maximum length of an IPv6 ping packet to 512 bytes.
  • Smurf Attack (Netmask Length): Limits the netmask length of broadcast ICMP packets to 24 (x.x.x.255).
  • TCP Minimum Header Size (Bytes): Limits the minimum size of the TCP header to 20 Bytes.
  • TCP-SYN: Drops TCP packets where the SYN flag is set, the ACK flag isn't set, and the source port is smaller than 1024.
  • Null Scan: Drops TCP packets where no flags are set and the sequence number is zero.
  • Xmas: Drops TCP packets with the sequence number zero and the FIN, URG, and PSH flags set.
  • TCP SYN-FIN: Drops TCP packets with the SYN and FIN flags set.
  • TCP SYN-RST: Drops TCP packets with the SYN and RST flags set.

802.1X

Sophos Switch supports 802.1X port-based network access control to authenticate users and devices using either a RADIUS or TACACS+ server.

Global settings

The Global settings tab is where you turn on or off 802.1X authentication. You can also manage guest VLAN assignments, set the guest VLAN ID, and select the authentication method.

You can configure the following global settings:

  • Status: Select On or Off to turn 802.1X authentication on or off. Select Not set to use the settings configured locally on the switch.
  • Guest VLAN: Select On or Off. You must select On to set a Guest VLAN ID. Select Not set to use settings configured locally on the switch.
  • Guest VLAN ID: Select a VLAN from the list of defined VLANs.
  • Authentication method: Select Local user, RADIUS, or TACACS+ from the drop-down list.

Configuration source shows the origin of the settings.

Click Update to save the settings or Clear to delete any unsaved changes.

Port settings

On the Port settings tab, you can configure the port settings and set authentication using 802.1X, MAC authentication bypass (MAB), or a combination of both. To configure MAB, see Configure MAC authentication bypass (MAB).

Select the ports you want to configure and click Edit.

You can configure the following options:

  • Mode: Select the port mode from the following options:

    • Not set: Use the settings configured locally on the switch.
    • Auto: Turn on 802.1X authentication on the interface. When using Host-based for the Authentication mode, you must select Auto.
    • Force authorized: Block all unauthenticated traffic on the interface.
    • Force unauthorized: Allow all unauthenticated traffic on the interface.

  • MAB mode: Select the MAB mode from the following options:

    • Not set: Use the settings configured locally on the switch.
    • MAB: Use MAB only.
    • Hybrid: Try to authenticate using 802.1X first. After three failed attempts, the switch uses MAB instead.
    • Disabled: Don't use MAB.

  • Authentication mode: Select the authentication mode from the following options:

    • Not set: Use the settings configured locally on the switch.
    • Port based: Authenticate hosts connected to each port.
    • Host based: Authenticate all traffic on a single port.

  • Maximum hosts: This setting only applies when Authentication mode is set to Host based. It sets the maximum number of hosts that can be connected to a port. Set a value from 1 to 10.

  • Guest VLAN: Turn on or turn off Guest VLAN. You must turn it off when using Host-based for the Authentication mode.
  • RADIUS VLAN assignment: Turn on or turn off RADIUS VLAN assignment. You must turn it off when using Host-based for the Authentication mode.
  • Reauthentication: Turn on or turn off port reauthentication.
  • Reauthentication period: The time, in seconds, before the port must reauthenticate. Set a value from 30 to 65535. The default is 3600.
  • Quiet period: The time, in seconds, before the switch attempts to reauthenticate after a failed authentication attempt. Set a value from 0 to 65535. The default is 60.
  • Supplicant period: This setting controls the frequency at which the switch sends EAP requests, in seconds. The switch sends three requests at this interval before switching to MAB. Set a value from 0 to 65535. The default is 30.
  • Authorized status: Shows the authentication status of the specified port.

Configuration source shows the origin of the port settings.

Click Update to save the settings or Clear to delete any unsaved changes.

Authenticated host

The Authenticated host tab shows information about authenticated hosts.

Port security

On the Port security tab, you can limit the number of MAC addresses that the switch can learn on a specific port.

You can configure the following options:

  • Port: The port to which the settings apply.
  • Status: Select Enabled or Disabled to turn Port security on or off.
  • Max number of MAC addresses: Enter the maximum number of MAC addresses the switch can learn on the specified port. The range is from 1 to 256.

Configuration source shows the origin of the port security settings.

Click Update to save the settings or Clear to delete any unsaved changes.

RADIUS server

You can use a RADIUS server to authenticate users accessing a network. The RADIUS server maintains a user database, which contains authentication information. The switch passes information to the RADIUS server to authenticate a user before authorizing network access.

You can configure the following options:

  • Server ID: The ID of the RADIUS server.
  • Server IP: The IP address of the RADIUS server.
  • Authorized port: The port used for communicating with the RADIUS server. The default port is 1812.
  • Shared secret: The string used for encrypting all RADIUS communication between the device and the RADIUS server.
  • Timeout: The amount of time the device waits for an answer from the RADIUS server before switching to the next server. The default is 3.
  • Retry: The number of transmitted requests sent to the RADIUS server before a failure occurs. The default is 3.

Configuration source shows the origin of the RADIUS server settings.

To create a new RADIUS server entry, click Add.

To delete RADIUS server entries, select the servers you want to remove and click Delete.

TACACS+ server

TACACS+ servers provide centralized authentication for network access. TACACS+ is used primarily for the administration of network devices.

You can configure the following options:

  • Server IP: The IP address of the TACACS+ server.
  • Priority: The priority of the TACACS+ server. The priority determines which server is contacted first for authentication when you have more than one TACACS+ server.
  • Authorized port: The port that the server communicates on for authentication. The default port is 49.
  • Shared secret: The encryption key that's configured on your TACACS+ server. This must match your TACACS+ server exactly.
  • Timeout: The timeout in seconds. The timeout specifies the time that Sophos Switch waits for an authentication response before trying the next TACACS+ server in the list. The default is 5.

Configuration source shows the origin of the RADIUS server settings.

To create a new TACACS+ server entry, click Add.

To delete TACACS+ server entries, select the servers you want to remove and click Delete.