Skip to content
Any configuration changes made locally on the switch won't be synchronized with Sophos Central. We recommend making changes from the Sophos Central control panel instead.

Configure MAC authentication bypass (MAB)

Using 802.1X MAC-based authentication bypass (MAB) allows Sophos Switch to authenticate one or more connected hosts using the hosts' MAC address as account information. Each host connected to the port is authenticated individually. Packets from unauthorized hosts are dropped. After 802.1X MAB is turned on, Sophos Switch controls the authentication process.

Port based vs MAC based

When selecting which form of MAB to use, it's important to understand how each should be used within your network topology.

When using Port-based MAB, Sophos Switch authenticates a single host connected to each port. After authentication, if another device is connected to the port, traffic is dropped. You should use Port based for switches that connect your endpoint devices.

When using MAC-based MAB, Sophos Switch authenticates once for traffic connected to the port. Other devices can send traffic without further authentication taking place. You should use MAC-based for connections between switches. For example, connecting the backbone switch to the edge switch connected to your endpoint devices.

Warning

You can only authenticate a maximum of ten devices on a single port using MAC-based authentication.

Prerequisites

  1. RADIUS server configured for authentication.
  2. On your RADIUS server, devices that will use MAB for authentication must have the username and password configured as the device's MAC address in lowercase and with no punctuation. For example, fd6238bb0414.
  3. When using MAC-based as the Authentication mode you must set the Mode to auto when configuring the port on Sophos Switch.
  4. When using MAB, you must turn off guest VLAN and RADIUS VLAN assignments for ports.

How to configure MAB authentication

To configure MAC based authentication do as follows:

  1. Go to Security > 802.1x > Port settings.
  2. Select the port to configure using the checkbox and click Edit.
  3. Confiure the following settings:

    Option Description
    Mode

    Select the port mode. The following options are available:

    Auto: Automatically determine the port mode using LLDP. When using MAC-based, you must select Auto.

    Force unAuthorized: Force the port to allow all traffic.

    Force authorized: Force the port to drop all unauthenticated traffic.

    MAB mode

    Select the MAB mode. The following options are available:

    MAB: Use MAB only.

    Hybrid: Try to authenticate using 802.1x first. After three failed attempts, Sophos switch will use MAB instead.

    Disable: Don't authenticate.

    Authentication mode

    Select the authentication mode. The following options are available:

    Port-based: Authenticate hosts connected to each port.

    MAC-based: Authenticate all traffic on a single port.

    Maximum hosts Only applies to MAC-based authentication. Select the maximum number of hosts connected to a port. The available values are 1 to 10.
    Reauthentication Turn on or turn off port reauthentication.
    Reauthentication period The amount of time, in seconds, before the port must be reauthenticated. The available values are 30 to 65535. The default is 3600.
    Quiet period The amount of time, in seconds, before Sophos Switch attempts to reauthenticate after a failed authentication attempt. The available values are 0 to 65535. The default is 60.
    Supplicant period The amount of time, in seconds, before an EAP request is resent to the supplicant. The available values are 0 to 65535. The default is 30.
    Guest VLAN Turn on or turn off Guest VLAN. You must turn it off when using MAB.
    RADIUS VLAN assignment Turn on or turn off RADIUS VLAN assignment. You must turn it off when using MAB.
  4. Click Apply.