Expanding variety of end devices connected to the Internet has introduced high demand to flexibly authenticate and grant them the necessary access to the network. However, it is not realistic to expect of all the end devices, including less capable and low-cost devices like sensors or embedded systems, to satisfy the requirement of integrated authentication procedure like 802.1x. We propose Software-defined Authentication FramEwork (SAFE) that enables 1) isolation of unauthenticated devices and 2) access control with more flexible modes of authentication. By systematically separating authentication and access control, the networks can have multiple options for authenticating end devices according to their capability, while access control and policy enforcement can be done on a unified platform using SDN. SAFE uses a combined approach of MAC-based identification and location awareness, i.e., the port number and a switch DPID in SDN, to keep unauthenticated devices isolated and still be able to communicate with their affordable authentication server. We examined SAFE in the following 3 scenarios: 1) an emulation environment, 2) a live test bed using production SDN switches and 3) a mixed network with both SDN and non-SDN switches. This paper also implements an alternative and practical mode of authentication expecting IoT devices, which would benefit the most from SAFE. ©2016 ACM.