Network Integration

Introduction and Example Use Cases

This article designed to provide network administrators the steps to enable SafeConnect Essentials on the network. The configuration steps below will apply the necessary configurations for the following use cases.

Authenticate Users and Devices

802.1X/WPA2E Authentication

With the SafeConnect RADIUS server joined to Active Directory and the network device (switch, AP, controller) properly configured, users will be able to authenticate to the wired or wireless network via 802.1X/WPA2E. EAP-PEAP and EAP-TLS are both supported.

Authentication for non-802.1X Capable Devices (including IoT)

Using the SafeConnect Authorized Devices feature, devices that are unable to be or are not configured for 802.1X/WPA2E can still be authenticated to the network via MAC address.

Assign Network Access

Identity Based Network Access Assignment

Devices successfully authenticated via 802.1X/WPA2E can optionally be assigned specific network access, such as VLAN ID. SafeConnect will validate the group/OU a user belongs to and return the appropriate VLAN ID or desired RADIUS attributes.

MAC Address Based Network Access Assignment

In addition to authenticating devices via MAC address, the SafeConnect Authorized Devices feature also allows for RADIUS attributes such as VLAN ID to be returned when a device successfully authenticates. This ensures that no matter where on the network the device connects, it will also have the appropriate network access assigned. Common examples of this use case are phones and printers.

Guest VLAN

Network integrated devices (switch, AP, controller) can be configured for Guest VLAN. User devices not configured for 802.1X/WPA2E, such as Guest or BYOD devices, can be placed in a Guest VLAN with restricted access, such as Internet only.

Network Integration Steps

Learn the steps required to integrate SafeConnect into a customer Layer 2 network environment and validate the integration with a test policy. Note that this page only provides the minimum requirements needed to achieve network integration.

Enable the SafeConnect RADIUS Server

To access the SafeConnect UI, navigate to the link below and login with SafeConnect Admin credentials (admin/admin is the default username and password).
https://x.x.x.x:8443/manage

images/download/attachments/6075841/image2018-12-17_14-42-45.png
SafeConnect Login

Once logged into the SafeConnect UI, the network integration options are located under Configuration Manager.

Once logged into Configuration Manager, click on Configuration under RADIUS in the left pane.

images/download/attachments/6075841/image2019-5-15_9-15-18.png

Once Configuration Mode is enabled, click on RADIUS Server and then click on the Enable button.

images/download/attachments/6075841/image2019-5-14_10-0-25.png

Click OK when prompted.

images/download/attachments/6075841/image2019-5-14_10-11-15.png

The Enforcement Status light should change from red to green indicating enforcement is enabled.

Select the RADIUS Authentication Type

From the Authentication Type drop down list, select the appropriate authentication type.

If the desire is to not require endpoints to have 802.1X supplicants configured, the default Authentication Type of MAC Authentication Only is sufficient.

If MAC Authentication Only is selected, skip to the NAS configuration steps (bypass EAP steps).

If the desire is to require endpoints to have 802.1X supplicants configured, Select EAP as the Authentication Type.

If EAP was selected as the Authentication Type, check the enabled check box and fill out the required fields and click the Join button.

The Workgroup and NetBIOS Name fields are typically left blank and will be auto-populated.

If the desire is to require endpoints to have 802.1X supplicants configured and authenticate via client certificates (EAP-TLS), click on the TLS tab, click the Enable check box and upload the CA certificate to be used for EAP-TLS authentication.

The CA certificate should be in the following format when uploaded:

-----BEGIN CERTIFICATE-----
Base64 encoded Root Cert Info here
-----END CERTIFICATE-----

If using a certification chain, it should be in the following format when uploaded:

-----BEGIN CERTIFICATE-----
Base64 encoded Intermediate Cert Info here
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Base64 encoded Root Cert Info here
-----END CERTIFICATE-----

images/download/attachments/6075841/image2019-5-14_10-18-26.png

Add a network device (switch, AP, controller) to SafeConnect.
Click on NAS then click on the New NAS button.

images/download/attachments/6075841/image2019-5-14_13-48-45.png
NAS

Fill in the requested fields. For this example, we will be adding a Cisco Layer 2 switch.

Configure RADIUS Enforcement Roles and Attributes

Click on Enforcement Roles.

images/download/attachments/6075841/image2019-5-14_16-55-10.png

The default quarantine role applies a pre-configured quarantine ACL that resides on the switch and the default compliant role will allow all access. These can be modified as desired or left as default.

images/download/attachments/6075841/image2019-5-14_16-56-52.png

images/download/attachments/6075841/image2019-5-14_16-57-37.png

Apply/Save RADIUS Configuration Changes

Navigate to "Apply". Click Apply and Use and OK.

images/download/attachments/6075841/image2019-5-15_8-55-31.png

Make sure no errors appear in the log.

images/download/attachments/6075841/image2019-5-15_8-59-22.png images/download/attachments/6075841/image2019-5-15_10-14-24.png

Configure Device Authorization (for IoT or non-802.1X capable devices)

For endpoints that are not capable of or configured for 802.1X, the Device Authorization provides a quick and easy method for accessing specific network access privileges based on mac address. This maps a mac address to a specific Enforcement Role which will be applied to the endpoint any time it connects to the network. An common example of this feature would be to place VoIP devices in one VLAN and printers in another VLAN. Bulk upload of a list of mac addresses is supported.

In the Configuration Manager UI, click on Authorized Devices under Enforcement setup.

images/download/attachments/6075841/image2019-1-7_12-36-8.png

Click on the Bulk Upload button in the upper right-hand corner, then click Download Template.

images/download/attachments/6075841/image2019-1-7_12-37-52.png

Open the template spreadsheet that was downloaded and add a device mac address(es) and the associated enforcement role(s). Save changes.

images/download/attachments/6075841/image2019-1-7_12-40-44.png

Click on Select File, locate and select the template spreadsheet and click Upload.

images/download/attachments/6075841/image2019-1-7_12-37-52.png

images/download/attachments/6075841/image2019-1-7_12-47-27.png

images/download/attachments/6075841/image2019-1-7_12-50-8.png

The mac addresses should now show up in the UI under Authorized Devices in the UI.

images/download/attachments/6075841/image2019-1-7_13-42-22.png

images/download/attachments/6075841/image2019-1-7_13-43-13.png

Follow the steps in the 261816336 section to configure the desired VLANs for the "phones" and "printers" enforcement roles and apply the changes.

Apply configurations to network devices

Once a network device has been added to SafeConnect and the SafeConnect RADIUS server has been configured, a script or other configurations will need to be applied to the device. Example scripts and configuration steps are provided on the SafeConnect Layer 2 Network Integration Scripts page.

This concludes the integration steps to secure your network. Repeat the steps above for all network devices you would like to integrate with SafeConnect until fully deployed.

Endpoints with properly configured supplicants will be able to authenticate to 802.1X/WPA2E enabled networks with optional network access assignment. Other devices can be assigned network access based on mac address. For assigning devices that do not match either of these categories to a Guest VLAN, refer to your switch, controller or AP manufacturer's instructions to enable the Guest VLAN feature.

Although not required to secure the network, Device Profiling/Visibility is also available for SafeConnect Essentials. See the link below for information on that option.

Optional - Configure Device Profiling/Visibility