Introduction and Example Use Cases
This article designed to provide network administrators the steps to enable SafeConnect Essentials on the network. The configuration steps below will apply the necessary configurations for the following use cases.
Authenticate Users and Devices
With the SafeConnect RADIUS server joined to Active Directory and the network device (switch, AP, controller) properly configured, users will be able to authenticate to the wired or wireless network via 802.1X/WPA2E. EAP-PEAP and EAP-TLS are both supported.
Authentication for non-802.1X Capable Devices (including IoT)
Using the SafeConnect Authorized Devices feature, devices that are unable to be or are not configured for 802.1X/WPA2E can still be authenticated to the network via MAC address.
Assign Network Access
Identity Based Network Access Assignment
Devices successfully authenticated via 802.1X/WPA2E can optionally be assigned specific network access, such as VLAN ID. SafeConnect will validate the group/OU a user belongs to and return the appropriate VLAN ID or desired RADIUS attributes.
MAC Address Based Network Access Assignment
In addition to authenticating devices via MAC address, the SafeConnect Authorized Devices feature also allows for RADIUS attributes such as VLAN ID to be returned when a device successfully authenticates. This ensures that no matter where on the network the device connects, it will also have the appropriate network access assigned. Common examples of this use case are phones and printers.
Network integrated devices (switch, AP, controller) can be configured for Guest VLAN. User devices not configured for 802.1X/WPA2E, such as Guest or BYOD devices, can be placed in a Guest VLAN with restricted access, such as Internet only.
Network Integration Steps
Learn the steps required to integrate SafeConnect into a customer Layer 2 network environment and validate the integration with a test policy. Note that this page only provides the minimum requirements needed to achieve network integration.
Enable the SafeConnect RADIUS Server
To access the SafeConnect UI, navigate to the link below and login with SafeConnect Admin credentials (admin/admin is the default username and password).
Once logged into the SafeConnect UI, the network integration options are located under Configuration Manager.
Once logged into Configuration Manager, click on Configuration under RADIUS in the left pane.
Once Configuration Mode is enabled, click on RADIUS Server and then click on the Enable button.
Click OK when prompted.
The Enforcement Status light should change from red to green indicating enforcement is enabled.
Select the RADIUS Authentication Type
From the Authentication Type drop down list, select the appropriate authentication type.
If the desire is to not require endpoints to have 802.1X supplicants configured, the default Authentication Type of MAC Authentication Only is sufficient.
If MAC Authentication Only is selected, skip to the NAS configuration steps (bypass EAP steps).
If the desire is to require endpoints to have 802.1X supplicants configured, Select EAP as the Authentication Type.
If EAP was selected as the Authentication Type, check the enabled check box and fill out the required fields and click the Join button.
The Workgroup and NetBIOS Name fields are typically left blank and will be auto-populated.
If the desire is to require endpoints to have 802.1X supplicants configured and authenticate via client certificates (EAP-TLS), click on the TLS tab, click the Enable check box and upload the CA certificate to be used for EAP-TLS authentication.
The CA certificate should be in the following format when uploaded:
Base64 encoded Root Cert Info here
If using a certification chain, it should be in the following format when uploaded:
Base64 encoded Intermediate Cert Info here
Base64 encoded Root Cert Info here
Add a network device (switch, AP, controller) to SafeConnect.
Click on NAS then click on the New NAS button.
Fill in the requested fields. For this example, we will be adding a Cisco Layer 2 switch.
Configure RADIUS Enforcement Roles and Attributes
Click on Enforcement Roles.
The default quarantine role applies a pre-configured quarantine ACL that resides on the switch and the default compliant role will allow all access. These can be modified as desired or left as default.
Apply/Save RADIUS Configuration Changes
Navigate to "Apply". Click Apply and Use and OK.
Make sure no errors appear in the log.
Configure Device Authorization (for IoT or non-802.1X capable devices)
For endpoints that are not capable of or configured for 802.1X, the Device Authorization provides a quick and easy method for accessing specific network access privileges based on mac address. This maps a mac address to a specific Enforcement Role which will be applied to the endpoint any time it connects to the network. An common example of this feature would be to place VoIP devices in one VLAN and printers in another VLAN. Bulk upload of a list of mac addresses is supported.
In the Configuration Manager UI, click on Authorized Devices under Enforcement setup.
Click on the Bulk Upload button in the upper right-hand corner, then click Download Template.
Open the template spreadsheet that was downloaded and add a device mac address(es) and the associated enforcement role(s). Save changes.
Click on Select File, locate and select the template spreadsheet and click Upload.
The mac addresses should now show up in the UI under Authorized Devices in the UI.
Follow the steps in the 261816336 section to configure the desired VLANs for the "phones" and "printers" enforcement roles and apply the changes.
Apply configurations to network devices
Once a network device has been added to SafeConnect and the SafeConnect RADIUS server has been configured, a script or other configurations will need to be applied to the device. Example scripts and configuration steps are provided on the SafeConnect Layer 2 Network Integration Scripts page.
This concludes the integration steps to secure your network. Repeat the steps above for all network devices you would like to integrate with SafeConnect until fully deployed.
Endpoints with properly configured supplicants will be able to authenticate to 802.1X/WPA2E enabled networks with optional network access assignment. Other devices can be assigned network access based on mac address. For assigning devices that do not match either of these categories to a Guest VLAN, refer to your switch, controller or AP manufacturer's instructions to enable the Guest VLAN feature.
Although not required to secure the network, Device Profiling/Visibility is also available for SafeConnect Essentials. See the link below for information on that option.