Hardening & Safe Protocols

Sophos: How to harden AAA (TACACS+ / RADIUS) authentication

By Sai Kiran Pandrala · reviewed by Sai Kiran Pandrala, Editor Last verified: 2026-05-30

⚡ At a glance
VendorSophos
Operating systemSFOS (Sophos Firewall OS)
CategoryHardening & Safe Protocols
Skill levelIntermediate to advanced
DIY-able?Yes with CLI access; some scenarios need Sophos Support + RMA.

What this guide covers

How to harden AAA (TACACS+ / RADIUS) authentication on Sophos devices (SFOS (Sophos Firewall OS)).

Recommendation

Centralise auth via TACACS+ / RADIUS, but always keep a local fallback in case the AAA server is unreachable.

CLI / commands

# Entered from: system configuration
system interface add name=Port1 ipv4-address=10.0.0.1 netmask=255.255.255.0 zone=LAN

# Save / commit
(auto-saves in Web UI; CLI changes persist)

Verify

Frequently asked questions

Will this work on my specific SFOS (Sophos Firewall OS) version?

The procedure reflects current SFOS (Sophos Firewall OS) behaviour. Older releases may need minor syntax adjustments, use the CLI help (? or tab-completion) to verify.

Should I open a Sophos Support case immediately?

Open one if you suspect hardware failure or the symptom persists after a maintenance-window reload. Make sure your support entitlement is active first.

Where can I find the Sophos official documentation?

https://support.sophos.com/support/s/: search the product family + feature name.

Is this procedure safe in production?

Test in a lab or maintenance window first. Capture pre-change state so you can roll back.

Related guides worth a look while you sort this one out:

References


Reference material, not professional advice. Validate against your specific SFOS (Sophos Firewall OS) version and test in a non-production environment before applying.

What changed recently?

Fault diagnosis on a Sophos: device goes faster when you map the symptom to a recent change:

The answer narrows the root cause to a manageable subset.

Before you start

A few things to confirm so the Sophos: device fix goes cleanly:

How to confirm it's actually fixed

On a Sophos: device, the test is rarely "reboot and see". Use this list:

When to call Sophos: support instead

Escalate if:

More frequently asked questions

Will the procedure work on the international variant?

Some features and firmware paths are region-locked. Check the model spec sheet to confirm your variant supports the menu option referenced. If you're outside the US/EU, look for the regional support portal.

How long does this fix usually take?

Most users complete the steps in 20-45 minutes the first time, and 5-10 minutes on subsequent runs once the menu paths are familiar.

Are there safer alternatives for non-technical users?

Yes, the manufacturer's self-service troubleshooter (HP Smart, LG ThinQ, Samsung Members, similar) usually walks through the same steps in a guided UI. Use that first if you're not comfortable with menu paths.

What if my model isn't exactly the same revision?

Cross-check the model code on the rating plate against the manufacturer support page. Major firmware generations sometimes shift the menu path; the option is usually under a similarly-named section.

What if the fix returns after a reboot?

Persistent fault returns mean either: a hardware fault (escalate), a configuration that's being overwritten by a sync source (check cloud profiles), or a regression in a recent firmware update (rollback).