Skip to content
Any configuration changes made locally on the switch won't be synchronized with Sophos Central. We recommend making changes from the Sophos Central control panel instead.

802.1x

You can authenticate users with either a RADIUS or TACACS+ server.

Normally, RADIUS is used to authenticate users for network access, while TACACS+ is more commonly used to administer network devices such as switches or routers.

Global Settings

Turn on or turn off 802.1X authentication, guest VLAN assignment, set the guest VLAN ID and the authentication method.

To configure 802.1X authentication, do as follows:

  1. Select Turned on or Turned off for Status to turn 802.1X authentication on or off.
  2. Select Turned on or Turned off for Guest VLAN. The default is Turned off.
  3. Select the Guest VLAN ID from the dropdown menu of currently defined VLANs.
  4. Select the Authentication method as either RADIUS or TACACS+ from the dropdown menu.
  5. Click Apply.

Port Settings

From the Port settings tab, you can configure the port settings and set authentication using 802.1X, MAC authentication bypass (MAB), or a combination of both. To configure MAB, see Configure MAC authentication bypass (MAB).

  1. Select the port you want to configure using the checkbox and click Edit.
  2. Select the mode you want to use from the drop-down box.
  3. Choose whether to turn on or turn off re-authentication for the port. Enter the time you wish to elapse for the Reauthentication period, Quiet period, and Supplicant period. After this, enter the max number of times you wish for the switch to retransmit the EAP request.
  4. Choose whether you wish to turn on or turn off the VLAN ID.

    Option Description
    Mode

    Select the port mode. The following options are available:

    Auto: Turn on 802.1x authentication on the interface. When using MAC-based, you must select Auto.

    Force unAuthorized: Allow all traffic on the interface.

    Force authorized: Block all traffic on the interface.

    MAB mode

    Select the MAB mode. The following options are available:

    MAB: Use MAB only.

    Hybrid: Try to authenticate using 802.1x first. After three failed attempts, Sophos switch uses MAB instead.

    Disable: Don't authenticate.

    Authentication mode

    Select the authentication mode. The following options are available:

    Port-based: Authenticate hosts connected to each port.

    MAC-based: Authenticate all traffic on a single port.

    Maximum hosts Only applies to MAC-based authentication. Select the maximum number of hosts connected to a port. The available values are 1 to 10.
    Reauthentication Turn on or turn off port reauthentication.
    Reauthentication period The amount of time, in seconds, before the port must be reauthenticated. The available values are 30 to 65535. The default is 3600.
    Quiet period The amount of time, in seconds, before Sophos Switch attempts to reauthenticate after a failed authentication attempt. The available values are 0 to 65535. The default is 60.
    Supplicant period The amount of time, in seconds, before an EAP request is resent to the supplicant. The available values are 0 to 65535. The default is 30.
    Guest VLAN Turn on or turn off Guest VLAN. You must turn it off when using MAB.
    RADIUS VLAN assignment Turn on or turn off RADIUS VLAN assignment. You must turn it off when using MAB.
  5. Click Apply.

Authenticated Host

The Authenticated host section displays the authenticated username, port, session time, authenticated method, and MAC address.