Sophos Switch Firmware 01.3.1268 MR3 Maintenance Release

Overview

The MR3 release adds new features and fixes to the switch firmware. In parallel, we are integrating the Switch Support and Services subscription requirements for Sophos Central.

About MAC Address Bypass (MAB)

MAC Address Bypass (MAB) provides an access control technique that allows port-based access control on a switch port by using the endpoint’s MAC address. The switch port, in this case, is the interface for MAB authentication that dynamically allows or blocks access to the port based on the endpoint’s MAC address. MAB is commonly used as a fallback to 802.1x. For situations where the endpoints don’t support IEEE 802.1X, such as printers and IP phones, MAB is an alternative to enable visibility and identity-based access control at the network edge.

MAC Address Bypass (MAB)

The key addition in this release is MAC Address Bypass (MAB). This feature extends the existing 802.1x functionality by allowing 802.1x MAC-based authentication bypass (MAB). With this Sophos Switch can authenticate one or more connected hosts using the host MAC address as the account information for authentication. Each host connected to a Sophos switch port with MAB enabled is authenticated individually based on the host’s MAC address. Any traffic from hosts that are not authorized is dropped.

Port-based MAB

Port-based MAB authenticates once for traffic connected to the Sophos switch port. All other devices connected to that port can send traffic without any further authentication being required.

MAC-based MAB

Mac-based MAB would be used to authenticate every host connected to the port on the Sophos switch. Traffic from any unauthenticated device is dropped.

Switch Support and Services Subscription

For customers who purchased Support and Services subscription for Sophos Switch, the support activation was not yet integrated into Sophos Central. We are now beginning the process to fully integrate and enforce Support and Services, allowing you to seamlessly manage your switch support subscriptions alongside your other Sophos products.

What does Support and Services include?

In addition to providing a completely unified management experience for all products, a Support and Services subscription for each Sophos Switch entitles you to:

• Sophos Central management (incl. scheduled firmware updates and backup)
• Advanced RMA support
• Phone support 24x7
• Firmware updates

It also allows you to provide our support team with access to full troubleshooting and debugging in case of any issues.  Support is limited for switches that are not registered with Central.

See also:

• Partner News blog on Support and Services subscription integration
• Knowledgebase article for customers who experience issues during the subscription migration

Bug Fixes:

NSW-2514- Special characters are now supported within the SNMP password field.

NSW-2513- From the terminal administrators can now upload an SSL certificate and private key.

NSW-2512- Removed support for weak encryption ciphers (3DES-CBC, AES128-CBC, AES256-CBC) for SSH access.

NSW-2032- The VLAN name can now include special characters that include “- “, “_”, and spaces. For example, you can configure the VLAN as follows, "vlan-100.”

NSW-3476- An issue was addressed that prevented 802.1X authentication from working properly when certificates were used as part of the authentication.

NSW-3410- Doing an SNMP walk request causes the Sophos switch to go into a reboot loop.

NSW-2843- The error message displayed when adding more than the supported number of VLANs was updated to now display “System networks (IPv4): Max limit reached. A maximum of 3 VLANs are allowed with IP address.”

NSW-2815- An issue was seen where creating a LAG between Sophos switches was not working correctly.

NSW-2694- In the local switch GUI the CDP neighbor details display an incorrect firmware version.

NSW-2675- The TFTP backup restore fails when executed from the local GUI.

NSW-2445- An intermittent issue has been seen where the Sophos switch stops forwarding traffic.

NSW-2230- CDP v2 does not work properly between a Sophos switch and a Cisco switch.

NSW-1832- Added description information to the CLI to explain the password configuration rules.

NSW-1790- The power budget is displayed as 0w when the power budget is configured using a decimal value from the local switch GUI.

NSW-1569- The local switch GUI did not display VLAN names correctly when a dash or underscore was used in the name.

NSW-1301- From Central the Sophos switch redirect links are not navigating to the specific page in the local switch GUI.

NSW-810- SSH without the -c option does not work properly.

Known Issues:

NSW-1219- In Sophos Central, the switch alert count on the summary page is limited to 50 entries maximum, even though there may be additional alerts available.

NSW-1351- VLANs that are configured through the local GUI on the switch are not synced with Sophos Central.

NSW-1181- When the uplink port on the switch is changed, the uplink port identification is not updated in Sophos Central. The uplink port change will be displayed in the local switch GUI, but the events will not be present on Sophos Central.

NSW-1182- The uplink identification intermittently goes away in the local GUI even though the gateway and Internet are reachable from the switch.

For additional known issues please visit: https://docs.sophos.com/support/kil/index.html.