Sophos Switch - 802.1x


I am looking for some advice from other Sophos customers who may have already successfully configured 802.1x on Sophos switches.  We are aiming to roll out a full firewall and switch refresh at all of our sites (around 50).  Each site will have an XGS firewall and Sophos switch appropriately sized for the number of users at each site.

We have a demo XGS87 and some demo CS210-8FP 12 port switches provided by Sophos which we are using to develop a POC.  The only issue we are having issues with is wired 802.1x using Microsoft NPS as the Radius server.  These are as follows:

  • With 802.1x mode set to Auto and authentication mode set to port-based I get partial results.  Domain joined computers are authenticated and get on our network fine.  Non-domain joined computers however are left with a 169 IP address.  I can see on the switch authentication details that the non-domain joined device is moved over to the guest vlan but the device does not get an IP from the XGS.  DHCP is enabled on the guest VLAN and manually tagging a device onto that VLAN gets an IP from DHCP without issue.
  • With authentication mode set to mac based my domain joined device does not get any connectivity but does get an IP on the data VLAN weirdly enough and NPS logs show the device as authenticated.
  • When using port based authentication, any device can get on the network provided an authenticated device is on the switch port.  I.e. piggy backing off of a VOIP phone.  If the phone is plugged in by itself it gets no authentication and rightly gets a 169 IP.  As soon as I plug an authenticated device into the phone's pass through port both the authenticated device and phone get connectivity.  The same occurs if I plug a dumb switch into my 802.1x enabled switch port.  Any device I plug into my dumb switch will get connectivity provided I have an authenticated device connected.

I am working with Sophos on these issues but thought I'd reach out to the community whilst I am waiting for Sophos.  I am finding the switch documentation on this feature is very mis leading and some cases incorrect.

I am also unsure how I handle non-802.1x aware devices such as phones, printers etc etc.  Creating user accounts in AD that have the mac address as the username and password is a no go in our environment.

For example the documentation at 802.1x - Sophos Switch documentation states:

Select the port mode. The following options are available:

Auto: Automatically determine the port mode using LLDP. When using MAC-based, you must select Auto.

Force unAuthorized: Force the port to allow all traffic.

Force authorized: Force the port to drop all unauthenticated traffic.

From my testing this does not happen.  Even the PNAC section for the terminal contradicts the above.

Additionally authentication mode states:

Port-based: Authenticate hosts connected to each port.

MAC-based: Authenticate all traffic on a single port.

However Sophos Switch Firmware 01.3.1268 MR3 Maintenance Release - Release Notes & News - Sophos Switch - Sophos Community states:

Port-based MAB

Port-based MAB authenticates once for traffic connected to the Sophos switch port. All other devices connected to that port can send traffic without any further authentication being required.

MAC-based MAB

Mac-based MAB would be used to authenticate every host connected to the port on the Sophos switch. Traffic from any unauthenticated device is dropped.

Any feedback or suggestions the community can give will be greatly appreciated and apologies for the long winded post.  We are moving from a different vendor where there was a centralised NAC engine for 802.1x authentication and the Sophos's implementation seems to be different to what we've seen before. 

Added TAGs
[edited by: Erick Jan at 6:13 AM (GMT -8) on 11 Jan 2024]