Skip to content
Any configuration changes made locally on the switch won't be synchronized with Sophos Central. We recommend making changes from the Sophos Central control panel instead.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/switch/help/en-us/index.html?contextId=user-guide-features-howto-MAB

Configure MAC authentication bypass (MAB)

MAC authentication bypass (MAB) allows Sophos Switch to authenticate one or more connected hosts using the MAC address as account information. The switch authenticates each host connected to the port individually and drops packets from unauthorized hosts. After 802.1X MAB is turned on, Sophos Switch controls the authentication process.

Port-based and Host-based MAB

Sophos Switch supports Port-based and Host-based MAB. It's important to understand how each is used within your network topology.

  • Port-based: Sophos Switch authenticates a single host connected to each port. After authentication, if another device is connected to the port, traffic is dropped. You should use Port-based for switches that connect your endpoint devices.
  • Host-based: Sophos Switch authenticates once for traffic connected to the port. Other devices can send traffic without further authentication taking place. You should use Host-based for connections between switches. For example, connecting the backbone switch to the edge switch connected to your endpoint devices.

Warning

You can only authenticate a maximum of ten devices on a single port using Host-based authentication.

Requirements

To use MAB, you must have a RADIUS server for authentication in your network. Your RADIUS server must have an entry for each device that will use MAB for authentication. The username and password are the device's MAC address in lowercase with no punctuation. For example, fd6238bb0414.

If you're using using Host-based as the Authentication mode you must set the Mode to Auto and turn off Guest VLAN and RADIUS VLAN assignment for ports.

How to configure MAB

To configure MAB, do as follows:

  1. Go to Security > 802.1x > Port settings.
  2. Select the ports you want to configure and click Edit.

  3. Configure the following settings:

    • Mode: Select Auto or Force authorized.

      • Auto: Automatically determine the port mode using LLDP. When using Host-based for the Authentication mode, you must select Auto.
      • Force authorized: The port drops all unauthenticated traffic.

    • MAB mode: Select MAB or Hybrid.

      • MAB: Use MAB only.
      • Hybrid: Try to authenticate using 802.1x first. After three failed attempts, the switch uses MAB instead.

    • Authentication mode: Select Port-based or Host-based.

      • Port-based: Authenticate a single host connected to each port.
      • Host-based: Authenticate up to 10 hosts on a single port.

    • Maximum hosts: Set a value from 1 to 10 if using Host-based for the Authentication mode.

    • Reauthentication: Choose whether or not you want hosts to reauthenticate after a specified time. You must set a Reauthentication period from 30 to 65535 seconds.
    • Quiet period: Set a value from 0 to 65535 seconds. The switch waits this long before attempting to reauthenticate after a failed authentication attempt.

  4. Click Apply.