Configure Identity for Unmanaged Devices

Configuring Identity for Unmanaged/BYOD Devices

This section describes how to configure SafeConnect Essentials to tie identity to unmanaged/BYOD devices.

This section assumes that administrators have completed all the required steps on the 741381518 page or the SafeConnect Layer 3 Integration page (for Layer 3 integrations only).

The steps below are not required for 802.1X/WPA2E Authentication, mac authentication or Initial VLAN Assignment. They are only required to tie identity to unmanaged devices.

Configure DHCP Syslog

SafeConnect will process DHCP syslog exported from DHCP servers to correlate IP and MAC addresses in real-time. The DHCP Syslog configuration is in the Configuration Manager under Network Inputs.

Configuration Manager Menu

Select the appropriate DHCP vendor from the drop down list.

DHCP Syslog

Once vendor and IP are configured, click the Add button to add the server to SafeConnect. Instructions for configuring the server to export syslog to SafeConnect are located below the Add button.


Configure DHCP Device Identification

SafeConnect will examine DHCP requests forwarded by DHCP relay agents to help with device fingerprinting. SafeConnect will not respond to DHCP requests and does not act as a DHCP server, the requests are used for identification purposes only. The DHCP Device Identification configuration is in the Configuration Manager under Network Inputs.


Choose the appropriate vendor and expand the section for instructions on how to forward DHCP requests as seen in example below.



Configure Authentication Sources

SafeConnect can perform AD/LDAP look ups to correlate users to specific groups. The Authentication Sources configuration is in the Configuration Manager under Network Inputs.


Click on the Add button to add a new Authentication Source. Enter the required information and Save as shown in the examples below.




Add test subnet to SafeConnect and configure test policy

With all configuration tasks completed, a test endpoint device can be connected to the test subnet. The SafeConnect Device Manager section of the UI is used to verify the status of online devices.


After connecting an endpoint to the test subnet and the device obtaining an IP address, it should show up in the Device Manager in SafeConnect. Click on the IP address or MAC address to view device details. Test device shown below. Note the device is failed for the policy created in previous steps.

Test Device

The Device Manager has a feature which allows an Administrator or Help Desk technician to view the page displayed to the end user. Clicking on the user icon with the quarantine “ x ”, the same page which is being served by the SafeConnect web server for the client is displayed.

Device Details

Sign In

For testing purposes, use the SafeConnect Admin account credentials to login. After entering credentials, checking the Acceptable Use Policy checkbox and clicking Sign In, a successful authentication will display a page letting the user know they are connected. At that point, the device is no longer quarantined on the network and should have whatever access that subnet permits.


The endpoint will also now show up as compliant with policy in Device Manager.

Device Details

This concludes the steps required to configure and test Identity for Unmanaged/BYOD Devices. For additional Policy Configuration options, refer to the Policy Manager Guide section. Additional documentation and user guides are located in the SafeConnect CK.