Configure Identity for Unmanaged Devices

Configuring Identity for Unmanaged/BYOD Devices

This section describes how to configure SafeConnect Essentials to tie identity to unmanaged/BYOD devices.

This section assumes that administrators have completed all the required steps on the 741381518 page or the SafeConnect Layer 3 Integration page (for Layer 3 integrations only).

The steps below are not required for 802.1X/WPA2E Authentication, mac authentication or Initial VLAN Assignment. They are only required to tie identity to unmanaged devices.

Configure DHCP Syslog

SafeConnect will process DHCP syslog exported from DHCP servers to correlate IP and MAC addresses in real-time. The DHCP Syslog configuration is in the Configuration Manager under Network Inputs.

images/impulsepoint.atlassian.net/wiki/download/thumbnails/265584688/worddav3d39b89581838f46b7066fa9d2bcd97f.png
Configuration Manager Menu

Select the appropriate DHCP vendor from the drop down list.

images/impulsepoint.atlassian.net/wiki/download/thumbnails/265584688/worddave5ae7ee11d7f81c2562217e14fad091e.png
DHCP Syslog

Once vendor and IP are configured, click the Add button to add the server to SafeConnect. Instructions for configuring the server to export syslog to SafeConnect are located below the Add button.

images/download/attachments/7186608/image2018-11-29_12-53-40.png

Configure DHCP Device Identification

SafeConnect will examine DHCP requests forwarded by DHCP relay agents to help with device fingerprinting. SafeConnect will not respond to DHCP requests and does not act as a DHCP server, the requests are used for identification purposes only. The DHCP Device Identification configuration is in the Configuration Manager under Network Inputs.

images/download/attachments/7186608/image2019-1-7_13-24-8.png

Choose the appropriate vendor and expand the section for instructions on how to forward DHCP requests as seen in example below.

images/download/attachments/7186608/image2019-1-7_13-25-39.png

images/download/attachments/7186608/image2019-1-7_13-27-45.png

Configure Authentication Sources

SafeConnect can perform AD/LDAP look ups to correlate users to specific groups. The Authentication Sources configuration is in the Configuration Manager under Network Inputs.

images/download/attachments/7186608/image2019-1-7_13-33-23.png

Click on the Add button to add a new Authentication Source. Enter the required information and Save as shown in the examples below.

images/download/attachments/7186608/image2019-1-7_13-54-36.png

images/download/attachments/7186608/image2019-1-7_13-55-44.png

images/download/attachments/7186608/image2019-1-7_13-56-34.png

Add test subnet to SafeConnect and configure test policy

With all configuration tasks completed, a test endpoint device can be connected to the test subnet. The SafeConnect Device Manager section of the UI is used to verify the status of online devices.

images/download/attachments/7186608/image2018-11-29_13-20-28.png

After connecting an endpoint to the test subnet and the device obtaining an IP address, it should show up in the Device Manager in SafeConnect. Click on the IP address or MAC address to view device details. Test device shown below. Note the device is failed for the policy created in previous steps.

images/download/attachments/7186608/image2018-11-29_13-21-33.png
Test Device

The Device Manager has a feature which allows an Administrator or Help Desk technician to view the page displayed to the end user. Clicking on the user icon with the quarantine “ x ”, the same page which is being served by the SafeConnect web server for the client is displayed.

images/download/attachments/7186608/image2018-11-29_13-22-21.png
Device Details

images/download/attachments/7186608/image2018-11-29_13-23-2.png
Sign In

For testing purposes, use the SafeConnect Admin account credentials to login. After entering credentials, checking the Acceptable Use Policy checkbox and clicking Sign In, a successful authentication will display a page letting the user know they are connected. At that point, the device is no longer quarantined on the network and should have whatever access that subnet permits.

images/download/attachments/7186608/image2018-11-29_13-29-7.png

The endpoint will also now show up as compliant with policy in Device Manager.

images/download/attachments/7186608/image2018-11-29_13-30-8.png
Device Details

This concludes the steps required to configure and test Identity for Unmanaged/BYOD Devices. For additional Policy Configuration options, refer to the Policy Manager Guide section. Additional documentation and user guides are located in the SafeConnect CK.