Skip to content
Any configuration changes made locally on the switch won't be synchronized with Sophos Central. We recommend making changes from the Sophos Central control panel instead.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/switch/help/en-us/index.html?contextId=user-guide-features-security

Security

You can configure security settings for Sophos Switch, 802.1X authentication, port security, and add and remove RADIUS and TACACS+ servers.

802.1X

Sophos Switch supports 802.1X port-based network access control to authenticate users and devices using either a RADIUS or TACACS+ server.

Global Settings

The Global settings tab is where you turn on or off 802.1X authentication. You can also manage guest VLAN assignments, set the guest VLAN ID, and select the authentication method.

You can configure the following global settings:

  • Status: Select Turned on or Turned off to turn 802.1X authentication on or off.
  • Guest VLAN: Select Turned on or Turned off. You must select Turned on to set a Guest VLAN ID.
  • Guest VLAN ID: Select a VLAN from the list of defined VLANs.
  • Authentication method: Select Local, RADIUS, or TACACS+ from the drop-down list.

Click Apply to save the settings or Reset to delete any unsaved changes.

Port Settings

On the Port settings tab, you can configure the port settings and set authentication using 802.1X, MAC authentication bypass (MAB), or a combination of both. To configure MAB, see Configure MAC authentication bypass (MAB).

Select the ports you want to configure and click Edit.

You can configure the following options:

  • Mode: Select the port mode from the following options:

    • Auto: Turn on 802.1X authentication on the interface. When using Host-based for the Authentication mode, you must select Auto.
    • Force unAuthorized: Allow all unauthenticated traffic on the interface.
    • Force authorized: Block all unauthenticated traffic on the interface.

  • MAB mode: Select the MAB mode from the following options:

    • MAB: Use MAB only.
    • Hybrid: Try to authenticate using 802.1X first. After three failed attempts, the switch uses MAB instead.
    • Disable: Don't use MAB.

  • Authentication mode: Select the authentication mode from the following options:

    • Port-based: Authenticate hosts connected to each port.
    • Host-based: Authenticate all traffic on a single port.

  • Maximum hosts: This setting determines the maximum number of hosts that can be connected to a port, and it only applies when Host-based is used for Authentication mode. Set a value from 1 to 10.

  • Reauthentication: Turn on or turn off port reauthentication.
  • Reauthentication period: The time, in seconds, before the port must reauthenticate. Set a value from 30 to 65535. The default is 3600.
  • Quiet period: The time, in seconds, before the switch attempts to reauthenticate after a failed authentication attempt. Set a value from 0 to 65535. The default is 60.
  • Supplicant period: This setting controls the frequency at which the switch sends EAP requests, in seconds. The switch sends three requests at this interval before switching to MAB. Set a value from 0 to 65535. The default is 30.
  • Guest VLAN: Turn on or turn off Guest VLAN. You must turn it off when using Host-based for the Authentication mode.
  • RADIUS VLAN assignment: Turn on or turn off RADIUS VLAN assignment. You must turn it off when using Host-based for the Authentication mode.

Click Apply to save your changes.

Authenticated Host

The Authenticated host tab shows information about authenticated hosts.