Release notes

New features and improvements in this release

• It is now possible to define custom RADIUS attributes dynamically for different user groups and devices.

• A Docker container for local RADIUS is now available as an alternative to our virtual appliance for deployment in IaaS clouds such as Azure, AWS, and GCP.

Security enhancements

• Read-only Admins may now view TACACS+ policies.

• Audited events in the Activity Log can now be sent to your configured SIEM solution.

Usability and supportability improvements

• When a custom NAS-Display name is defined it is now used in place of the default NAS name in SIEM events.

• Our latest documentation is now accessible and searchable from within the product Help page.

• A link to the AgentP download page has been added to Help page navigation.

• Removed MDM Settings from Groups as this feature no longer works with newer versions of iOS.

• Addressed issue where sometimes only a single alert would be shown on the Alerts view until the page was refreshed.

• The Subscription Plan page has been updated to remove references to previously offered subscription plans.

New features and improvements in this release

• AAA Logs Improvements – Administrators can load AAA logs into browser memory, so they can sort and search AAA logs directly from Clear portal.

• TACACS+ MFA – TACACS+ administrators can leverage AgentP as a second factor authentication for authentication and authorization.

• New TACACS+ Docker Container – Administrators can use a token for authentication and pass it to the container as a secret.

• AgentP – AgentP is now available for Android version 13 and 14.

• Read-only Admins with Azure AD accounts can now receive reports.

• Added an ability for Cloud and Contractor accounts to change their passwords.

• Added the MAC address into the RADIUS failed to Authenticate device SIEM message.

• Improved performance and scalability for exporting Accounts/Devices from the Devices grid.

• Improved performance of AAA logs download.

New features and improvements in this release

• TACACS+ Policies – Administrators can create TACACS+ policies with dynamic condition to a group. Dynamic condition can contain various properties (such as Site Name, NAS Name, NAS MAC Address, NAS Vendor) to define a scope for policy assignment.

• Site filter for the Devices grid – it is now possible to filter devices based on the Site that they are assigned to.

• OUI Manufacturer was added to MAC Bypass denied alerts and SIEM Events generated by these alerts.

• Added a control to copy TACACS+ shared secret from UI.

New features and improvements in this release

• AgentP can now authenticate Windows machines to the network using device certificates, user certificates, or a combination of both user and device certificates. When both user and device certificates are used and no one is logged into the machine, only the machine itself is authenticated to the network using the device certificate. You may configure that device to be assigned to a different VLAN or ACL for least privilege, ensuring the device is still able to be managed remotely and receive updates, but nothing more. Once a user logs into the machine, the device will re-authenticate to the network using that user’s certificate, assigning the correct ACL or VLAN that will allow that user to access only the resources on the network that are needed.

• It is now possible to add individual users from an Authentication Repository to Portnox Cloud groups. No longer do you need to coordinate with whomever manages the identity provider in your environment to have custom groups created for specific use cases. Instead, the Portnox Cloud admin can add one or several different individual users to any Portnox Cloud group themselves, just as easily as adding groups. You can even combine groups and individual users from any authentication repository into any Portnox Group.

• Those working with large lists of MAC Addresses for MAB accounts will notice some significant usability improvements, such as the ability to search for MAC address, and filter options such as vendor and expiration.

• macOS and Windows minimum supported versions can now be defined as part of a Risk Policy, similar to iOS and Android.

• The TACACS+ service is now available as an optional Docker container for both ARM64 and AMD64 architectures. This allows the TACACS+ service to be deployed in virtually any public cloud IaaS, such as AWS, Azure, GCP, etc. The TACACS+ service can now also be deployed on low-cost, solid state, micro computers, such as the Raspberry Pi.

• The Portnox Cloud login page has received a sexy new redesign to provide a fresh new look and improved performance.

• Alert messages now include the NAS display name the authenticating device is connected to.

• When an Intune integration app secret expires, it is now possible to update that secret directly from within the Portnox Cloud portal.

• AAA logs may now be exported to W3C formatted text files for troubleshooting, reporting, or archival purposes.

New features and improvements in this release

Group improvements

• The Groups page has been completely redesigned to allow now allow the ability to re-order group priority order through an intuitive drag-and-drop interface.

• The Group Edit page has also been completely redesigned to improve readability, scannability, and overall useability by making the layout of the page simpler and more intuitive.

Portnox Cloud admin account management

• Portnox Cloud Admins now have a dedicated area under [Settings > Account Settings] where the admin can change their password, update their name, subscribe/unsubscribe to email alerts, and configure MFA. Previously, these could only be completed on behalf of the admin by another Portnox Cloud admin.

MFA authenticator support

• Portnox Cloud admins can now utilize Authenticator applications such as Google Authenticator, Microsoft Authenticator, LastPass Authenticator, etc. as a more secure alternative to SMS for second factor authentication to the Portnox Cloud portal.

WPA3 Enterprise 192-bit mode support

• WPA Enterprise 192-bit mode can now be used for enhanced security on all operating systems and devices where it is supported.

  • Windows 10, version 2004 (build 19041) and Windows Server 2022 or later
  • Android 10 or later
  • Apple IOS 14.6 or later
  • macOS on Apple silicon only
  • Linux machines running NetworkManager 1.30 or later

AgentP configures 802.1X on wired interfaces

• AgentP can now automatically configure wired Ethernet adapters for 802.1X as they are added to the system via USB, docking stations, etc.

Azure Marketplace

• Portnox Cloud is now available through the Azure Marketplace. Customers can apply Azure credits to their Portnox Cloud subscription, as well as use Portnox Cloud to achieve Azure spend commitments.

Additional improvements

• The real IP address of the NAS is now shown in incorrect shared secret alerts, making it easier to identify misconfigured devices in the environment.

• Device manufacturer information has been added to alerts generated for MAC address bypass failures, simplifying the process of identifying devices that are unable to successfully authenticate to the network.

• Search in the devices grid now supports quotation notation allowing for exact matching in search results, such as searching by IP Address. E.g. searching for 192.168.0.2 will function as it always has, returning 192.168.0.2 and 192.168.0.22. However, searching for '192.168.0.2' in quoted notation will return only 192.168.0.2.

• 5xx & 4xx error pages now include direct links to Portnox status and support pages.

• Authentication failures for unsupported MSCHAPv2 authentication type no longer creates device objects or consume device entitlements.

New features and improvements in this release

IoT device trust (new feature)

• Detect and automate remediation actions for MAC address bypass (MAB) spoofing attacks Azure AD Integration (improvement).

• CLEAR administrators can now renew the token used for their Azure AD application integration.

New features and improvements in this release

• Secure Syslog over TLS has been added as a new protocol for forwarding alerts to SIEM solutions.

• New Devices/Accounts page is now default (you are still able to switch for old page).

• All links (e.g. from Alerts) are now routed to the new Devices/Accounts page.

• A feature for saving the filter has been added to the new Devices/Accounts page.

• Fixed an issue with deleting multiple devices.

• Fixed sorting.

• Added a preview for device-based accounts, so users can verify the results of a query.

• Improved concurrent editing of MAC-based accounts.

• API tokens can now be used with external authentication repositories.

• Authentication region has been added to SIEM alerts.

• Improvements on repository synchronization to reduce alerting noise.

• Licensing improvement to not count device twice, when two certificates are used on the same machine.

• Fixed the subscription expiration alert to show the correct amount of remaining days.

New features and improvements in this release

• IoT device type accounts – Utilize IoT fingerprint information to automate and orchestrate those devices access to the network. For example, assign all Roku and Apple TV streaming devices to VLAN 44. Assign an access control list to all Sony brand televisions, while preventing Sony PlayStations from accessing the network.

• A new and much faster Devices/Accounts page is now available as a public preview. In addition to significantly improved performance, this new Devices page now supports multi-select as well as progressive scroll.

• Our Jamf integration will now pull in available device information for Apple devices in the Portnox Cloud device management portal, such as Device type, Vendor, Device model, OS, and OS Version information, similar to devices managed through Intune.

• Intune integration for certificate distribution through SCEP now uses two Azure apps, each with least privilege.

• The delete confirmation dialog now includes the MAC address of the device being deleted.

• RADIUS failure alerts due to invalid shared secret now include the real IP address of the NAS device, rather than the routable NAT-ed IP address the NAS device resides behind.

New features and improvements in this release

• Administrators can now rename MAB accounts.

• Search now supports the use of reserved characters in search results, such as -, space, :, +, and *.

• Note that search may be sporadically unreliable for several days following release as indexes are rebuilt.

• Administrators can now enable AgentP multi-user mode on Windows from within the Cloud portal.

• Allows AgentP to be used on shared machines and alerts to be associated with the logged-on user.

• The Cloud API /api/nases post request with "info":1 now returns the full SitePath for NAS devices.

• NTLMv2 can now be enabled for AD Broker under Settings > Authentication Repositories > Directory Integration Service.

• All MAC addresses are now listed under device management for devices managed via AgentP.

New features and improvements in this release

• SaaS DHCP listener for IoT fingerprinting.

• Optional IoT fingerprinting DHCP forwarder docker container for use on-premises.

New features and improvements in this release

• Added VPN remote access Security-as-a-Service documentation to the Portnox Cloud Help page.

• Added a Configuration Guide for Aruba 1930 to the Portnox Cloud Help page.

• Added in-product link to KB articles to navigation section of the Portnox Cloud Help page.

• It is now possible to delete orphaned AD Brokers displayed in the Portnox Cloud interface.

• It is now possible to search for accounts by last name in the devices view.

• Tool tips have been added to member names on the Groups page. This now makes reading the long group names from external authentication repositories possible.

New features and improvements in this release

• High precision IoT fingerprinting is now available via DHCP gleaning on select Cisco Catalyst models. Information is passed via existing RADIUS accounting records. Fingerprinting includes the installed operating system and OS version. Device Model number now appears in Device Details pane, and OS and OS version fields are now user-editable.

• Applications, scripts, and other integrations can now authenticate to our API using tokens rather than usernames & passwords.

• Microsoft Defender is now identified as a Security Product on macOS.

• The Cloud group limit has been increased from 30 to 60.

• AgentP will now identify applications installed by the current logged-in user.

• Intune integration with Jamf now supports correlating devices to device groups in Azure AD for proper mapping to Portnox Cloud groups.

• When adding a MAC address to a MAB account from an alert it is now possible to scroll through the list of all MAB accounts.

• Added the ability to filter AAA logs by time, in addition to date.

New features and improvements in this release

• IoT Fingerprinting – Enterprise subscription customers will begin noticing agentless devices being fingerprinted, showing the device manufacturer and device type when selected and viewed from within the devices grid.

• Added the ability to configure settings for certificates issued by Cloud to mitigate IP fragmentation issues that can occur when exceeding custom MTU values.

• A new filter option was added, allowing admins to filter the accounts grid by MAC-based account to return a list of only MAB accounts and not their associated devices. To return a list of MAB accounts and their associated devices, continue using the MAC-based access only filter.

• A new search field has been added to the Devices > Network grid, allowing you to search the tree hierarchy for specific sites or NAS devices.

• The API now returns the monitoring or enforcement status when a list of NAS devices is queried.

• It is now possible to return a list of accounts based on account type when queried via the API.

• Site information has been added to alerts and SIEM events for improved correlation and better notification routing in multi-site organizations.

• Network sites and NAS devices are now sorted alphanumerically in the Devices > Network tree.

• Added the ability to disable CoA (Change of Authorization) from within the UI.

• Syslog support was added to both the RADIUS and TACACS+ virtual appliances to aid in troubleshooting. This can be enabled and configured through the Cloud portal.

• SNMPv1/v2/v3 support was added to both the RADIUS and TACACS+ virtual appliances to allow for more easy monitoring of resource consumption, performance, and availability of the virtual appliance and associated daemons.

• A new Organizational Expiring Certificates Report that lists all certificates expiring soon can be downloaded on-demand through the UI or emailed regularly to your inbox on a reoccurring basis.

• A downloadable Wired 802.1X configuration via Intune configuration guide has been added to the Help section of the UI.

• A downloadable Certificate Distribution to Chromebooks via SCEP & Google Workspace Guide has been added to the Help section of the UI.

Bugs addressed in this release

• Accounts authenticating to the network using EAP-TLS certificates are no longer blocked if their password in Okta has expired.

• Links provided in email to guests who received sponsored access to the network will no longer be pre-expired as a result of Microsoft’s Safe Links feature.

• TACACS+ audit events now properly generate fully populated Alerts in Cloud and to SIEM solutions, containing the IP address of the client machine, the name of the user, the IP address of the NAS device, the privilege level of the user, the service used, the command executed against the device, if the command and any arguments passed, if the command was allowed or denied, as well as the date and time of the event.

Additional changes made in this release

• Extra allowance percentage has been reduced from 20% to 5%.

New features and improvements in this release

• Cloud API: Added command to get all MAC addresses listed in the MAB account (and account info).

• Populate extension.mac and extension.policy fields in Signature 17043 (MAC Bypass denied).

• Removed duplicates of fields in SIEM alerts.

• Monitoring and enforcing actions for MAC bypass are split into two actions.

• New Minimum Supported Operating System Version Risk Assessment Policy for Android.

• Various UI and usability improvements.

New features and improvements in this release

• Add MAC address to MAB account from an Alert.

• TACACS+: Added wildcard arguments support for allowed & forbidden commands.

• Jamf integration for agentless compliance of macOS devices via Intune.

• New Minimum Supported Operating System Version Risk Assessment Policy for iOS.

New features and improvements in this release

• Improved usability and discoverability of sharing troubleshooting logs with support in AgentP for iOS.

• AgentP will now properly configure wired interfaces for EAP-TLS on Windows 10.

• MAC addresses in MAC accounts are now highlighted when expired.

• Improved the alert to include the reason for authentication failure when MAC address is expired.

• A new alert is raised when enrolling additional devices exceeds the maximum allowed.

• Provided option not to display AgentP configuration window after successful silent deployment.

• Intune attributes not applicable to iOS and Android devices were removed to eliminate potential false positives.

• Support for distributing EAP-TLS certificates to enterprise-managed Android devices using SCEP through Intune was added.

• Compliance status for agentless Intune-managed macOS clients is now properly respected when EAP-TLS certificates are issued through Jamf using SCEP.

• An ability to disable AgentP automatic updates via a registry key has been added.

• Text in AgentP has been made clearer when manual enrollment is not possible due to unattended automatic enrollment enabled.

• Addressed multiple security vulnerabilities in the OpenSSH library used in local RADIUS and TACACS+ virtual machines.

• Documentation for Integrations with JumpCloud, Rapid7, Intune, Jamf, Splunk Cloud, and Sumo Logic added to the Help page.

• Added the ability to get a full listing of MAC addresses associated with a MAB account via the REST API.

• Added a new field labeled Outcome to events sent to SIEM to include allowed or denied that denote if access to the network was granted or denied as a result of the alert.

• Updated list of IPs used by local RADIUS proxies to communicate with SaaS services.

• Added a Show link and a Copy button for TACACS+ shared secret similar to local RADIUS.

• Added a new certificate authentication alert when it is impossible to create account because the domain name is not found.

• Numerous performance improvements.

Bug fixes

• Federated enrollment fails when user enrolls for the first time.

• Have to refresh browser after adding an access policy in order to show up for group.

• Failed to authenticate in case of LDAP auto-onboarding with existing archived agentless device.

• TACACS+ failed to onboard account correctly when mailNickname and UPN are different.

• Azure AD: No notification sync has started in the header menu after force sync.

• Azure AD: LDAP account created during auto onboarding is removed during sync.

• Azure AD + Intune: Azure app configuration is not updated during re-enabling integration.

• Risk policy: Risk Score for any agentp-based MDM attribute doesn’t store after applying risk score for agentless MDM attribute in the same policy and refresh the policy page.

New features and improvements in this release

• TACACS+ early availability.

• New manual configuration option for Azure AD Integration added for least privilege.

• General bug fixes.