Configuring Identity for Unmanaged/BYOD Devices
This section describes how to configure SafeConnect Essentials to tie identity to unmanaged/BYOD devices.
The steps below are not required for 802.1X/WPA2E Authentication, mac authentication or Initial VLAN Assignment. They are only required to tie identity to unmanaged devices.
Configure DHCP Syslog
SafeConnect will process DHCP syslog exported from DHCP servers to correlate IP and MAC addresses in real-time. The DHCP Syslog configuration is in the Configuration Manager under Network Inputs.
Select the appropriate DHCP vendor from the drop down list.
Once vendor and IP are configured, click the Add button to add the server to SafeConnect. Instructions for configuring the server to export syslog to SafeConnect are located below the Add button.
Configure DHCP Device Identification
SafeConnect will examine DHCP requests forwarded by DHCP relay agents to help with device fingerprinting. SafeConnect will not respond to DHCP requests and does not act as a DHCP server, the requests are used for identification purposes only. The DHCP Device Identification configuration is in the Configuration Manager under Network Inputs.
Choose the appropriate vendor and expand the section for instructions on how to forward DHCP requests as seen in example below.
Configure Authentication Sources
SafeConnect can perform AD/LDAP look ups to correlate users to specific groups. The Authentication Sources configuration is in the Configuration Manager under Network Inputs.
Click on the Add button to add a new Authentication Source. Enter the required information and Save as shown in the examples below.
Add test subnet to SafeConnect and configure test policy
With all configuration tasks completed, a test endpoint device can be connected to the test subnet. The SafeConnect Device Manager section of the UI is used to verify the status of online devices.
After connecting an endpoint to the test subnet and the device obtaining an IP address, it should show up in the Device Manager in SafeConnect. Click on the IP address or MAC address to view device details. Test device shown below. Note the device is failed for the policy created in previous steps.
The Device Manager has a feature which allows an Administrator or Help Desk technician to view the page displayed to the end user. Clicking on the user icon with the quarantine “ x ”, the same page which is being served by the SafeConnect web server for the client is displayed.
For testing purposes, use the SafeConnect Admin account credentials to login. After entering credentials, checking the Acceptable Use Policy checkbox and clicking Sign In, a successful authentication will display a page letting the user know they are connected. At that point, the device is no longer quarantined on the network and should have whatever access that subnet permits.
The endpoint will also now show up as compliant with policy in Device Manager.