Thread Info
Options

Question regarding switch port security when using AP6 series access points

Andreas Bolz

Current network infrastructure is to be converted from Cisco to Sophos.

Current status (Cisco network infrastructure)

  • Switch with port security via RADIUS MAB VLAN assignment active.
  • WLAN access points in own VLAN 50, assigned via RADIUS server.
  • WLAN networks are tunneled to Cisco WLC via access points so that ports with APs only allow VLAN 50.

Target status (conversion to Sophos firewall, switch and APs)

The new network structure is to be realized with Sophos components.
The test scenario currently uses:

  • Sophos Firewall XGS 107
  • Sophos Switch CS110-24FP
  • Sophos AP6 420 access points

According to my understanding, I can only operate WPA2-Enterprise with WLAN tunneling on the "old" APX access points.
With the "new" AP6 series, in addition to the VLAN 50 of the access points, every VLAN of the respective WLAN networks must be available on the access point port.
Port security with RADIUS VLAN assignment for the access point ports would therefore not work, as otherwise all WLAN end devices would also have to be known in RADIUS.

Example WLAN networks:

SSID: Office (VLAN 100)
SSID: Guest access (VLAN 200)

VLANs required on access point port (50,100,200).


Physical attack thought experiment

Cisco state

A potential attacker could therefore gain access to the physical access point port with MAC spoofing, but would initially be encapsulated in VLAN 50.

Sophos state

A potential attacker could therefore gain access to the physical access point port with MAC spoofing and would then be able to access all VLANs (50, 100, 200).


Port security question

How can port security be guaranteed for this scenario with Sophos if WLAN networks such as the guest access, where the end devices are not known, are also to be broadcast?



Added TAGs
[edited by: Erick Jan at 11:11 PM (GMT -7) on 4 Aug 2025]
  • 0

    Yes, you need VLANs for segmentation of your network.

    The Port Security question is more a "theoretical question". 
    You could start to use MAC filtering on the Switch and spoof the AP6. Then you would gain access to the network in this format. This would require you to unplug the AP6 and plugin your network, figuring out what MAC the AP6 has and then spoof it. 

    While doing this is possible, you still have to take physical action. VXLAN methods are open to the same issue: capsulation of traffic via VXLAN basically can be exploited by the same methods. 

    In praxis, if somebody does an attack like this, the first thing you will notice is an email alert, the AP6 is offline, because somebody unplugged it. 

    Then you could add WPA2/3 Radius Authentication too on the Switch for additional protection. 

    Additionally, sync-sec endpoint helps to prevent access any further than that. With our own Endpoint, you can build additional layers of protection.

    I would always recommend to keep the AP6 itself (and its mac) to a minimum. There is no need for the AP6 to communicate to other servers or clients. 
    Its own IP is only to communicate to Central and the Radius server. 

    __________________________________________________________________________________________________________________

    • 0 in reply to LuCar Toni

      Thanks for the answer.

      I have a query about:

      >> Then you could also add WPA2/3 Radius Authentication on the switch for additional protection.

      Is it possible to activate WPA2/3 Radius authentication on the switch so that either:
      - the WLAN end devices are ignored by the Radius (e.g. Guest Access).
      - the WLAN end devices are also assigned to different VLANs via RADIUS.

      What would the port configuration on the switch look like for this?

      Example Switch:
      With Port-Settings
      "Authentication mode: Host-based"
      I'm not able to set
      "RADIUS VLAN assignment: On"