Skip to content
Any configuration changes made locally on the switch won't be synchronized with Sophos Central. We recommend making changes from the Sophos Central control panel instead.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/switch/help/en-us/index.html?contextId=user-guide-features-security-802.1x

802.1x

You can authenticate users with either a RADIUS or TACACS+ server. You would typically use RADIUS to authenticate users for network access and TACACS+ to administer network devices such as switches or routers.

Global Settings

The Global settings tab is where you turn on or off 802.1X authentication. You can also manage guest VLAN assignments, set the guest VLAN ID, and select the authentication method.

You can configure the following global settings:

  • Status: Select Turned on or Turned off to turn 802.1X authentication on or off.
  • Guest VLAN: Select Turned on or Turned off. You must select Turned on to set a Guest VLAN ID.
  • Guest VLAN ID: Select a VLAN from the drop-down list of currently defined VLANs.
  • Authentication method: Select Local, RADIUS, or TACACS+ from the drop-down list:

Click Apply to save your changes.

Port Settings

The Port settings tab lets you configure the port settings and set authentication using 802.1X, MAC authentication bypass (MAB), or a combination of both. To configure MAB, see Configure MAC authentication bypass (MAB).

Select the ports you want to configure using the checkbox and click Edit.

You can configure the following options:

  • Mode: Select the port mode from the following options

    • Auto: Turn on 802.1x authentication on the interface. When using Host-based for the Authentication mode, you must select Auto.
    • Force unAuthorized: Allow all traffic on the interface.
    • Force authorized: Block all traffic on the interface.

  • MAB mode: Select the MAB mode from the following options:

    • MAB: Use MAB only.
    • Hybrid: Try to authenticate using 802.1x first. After three failed attempts, the switch uses MAB instead.
    • Disable: Don't use MAB.

  • Authentication mode: Select the authentication mode from the following options:

    • Port-based: Authenticate hosts connected to each port.
    • Host-based: Authenticate all traffic on a single port.

  • Maximum hosts: This setting only applies to Host-based authentication. It sets the maximum number of hosts connected to a port. Set a value from 1 to 10.

  • Reauthentication: Turn on or turn off port reauthentication.
  • Reauthentication period: The time, in seconds, before the port must be reauthenticated. Set a value from 30 to 65535. The default is 3600.
  • Quiet period: The time, in seconds, before the switch attempts to reauthenticate after a failed authentication attempt. Set a value from 0 to 65535. The default is 60.
  • Supplicant period: This setting controls how often the switch sends EAP requests, in seconds. The switch sends three requests at this interval before switching to MAB. Set a value from 0 to 65535. The default is 30.
  • Guest VLAN: Turn on or turn off Guest VLAN. You must turn it off when using Host-based for the Authentication mode.
  • RADIUS VLAN assignment: Turn on or turn off RADIUS VLAN assignment. You must turn it off when using Host-based for the Authentication mode.

Click Apply to save your changes.

Authenticated Host

The Authenticated host tab shows information about authenticated hosts.