Create an account

In this topic, you will learn how to create an account in Portnox™ Cloud. You can create accounts manually for IoT devices, external contractors, and more.

To understand what are accounts in Portnox Cloud and how they work together with groups and policies, read the following topic: What are accounts in Portnox Cloud?.

Note:
If you mapped directory groups and/or organizational units to groups in Portnox Cloud (see: Manage members of a group), you do not need to create individual accounts for users in those groups. The first time that each user from a mapped group or organizational unit authenticates with Portnox Cloud, Cloud will make an account representing this user.
  1. In the Cloud portal top menu, click on the Devices option.

  2. In the top bar, click on the Add button and select the type of account to add:

    • Portnox Account: Use this type of account if you want to use Portnox Cloud as your user repository.
    • LDAP Account: Use this type of account if you want to add individual users from an authentication repository that you configured earlier.
    • MAC-based Account: Use this type of account if you want to give network access to devices that do not work with the 802.1X protocol.
    • Contractor Account: Use this type of account if you want to give network access to users that do not belong to the organization.
    • Device-type Account: Use this type of account if you want to give network access to a large number of similar devices that do not work with the 802.1X protocol.

Create a Portnox account

Use this type of account if you want to use Portnox Cloud as your user repository.

  1. In the Email field, enter the corporate email address of the user for whom you want to create the account.

    Only email addresses from organizational mail domains are allowed. You can configure organizational mail domains here: Settings > Organization > ORGANIZATIONAL MAIL DOMAINS

  2. Optional: Activate the Use an alias when accessing the corporate network checkbox and fill in the Alias field with a unique alias.

    Some devices do not accept the @ special character, such as for TACACS+ authorization. In such cases, you can create and use an alias instead of the email address for the login part of the credentials.

  3. Optional: In the Description field, enter the description for this account, for example, the user’s first and last name.

  4. In the NETWORK ACCESS CREDENTIALS section, select the Password expiration option:

    • Never expire: The password will never expire.

    • Expire on a selected date and time: The password will expire on the selected date and time. Click on the field next to this option to select the date and time from the calendar.

  5. In the GENERAL ACCOUNT SETTINGS section, click on the checkbox Allow devices without AgentP to connect using this account ("agentless access") to activate or deactivate it.

    If this setting is turned on, the user represented by this account will be able to connect to the network using devices with AgentP installed as well as devices without AgentP installed.

    Important:
    This setting may be overridden at the group level, when configuring the specific access layer.
  6. In the Group assignment field, select the group to assign this account to.

  7. Optional: In the Phone field, enter a contact phone number for the user represented by this account.

  8. To save your account settings, click on the Save button in the top right corner.

    Portnox Cloud will send a request to create a password to the email address.

  9. Click on the Set account password button to set the password.

    Note:
    You can set password complexity for Portnox and contractor accounts by accessing: Settings > Services > GENERAL SETTINGS > Password policy for Portnox accounts

Result: The user will be able to access Portnox Cloud using their email address and the password that they set.

Create a LDAP account

Use this type of account if you want to add individual users from an authentication repository that you configured earlier.

  1. In the Domain field, select a domain of the user.

    The list of available domains depends on the configuration of external authentication repositories, which manage these domains.

  2. In the Domain username field, type the user name from the selected domain.

    Portnox Cloud will check if the user name exists in the selected domain when you save the account. If the user name does not exist, the following error message will be displayed under this field: LDAP Directory user 'user' not found in domain 'domain'.

  3. Optional: In the Description field, enter the description for this account, for example, the user’s first and last name.

  4. Optional: Activate the Use an alias when accessing the corporate network checkbox and fill in the Alias field with a unique alias.

    Some devices do not accept the @ special character, such as for TACACS+ authorization. In such cases, you can create and use an alias instead of the email address for the login part of the credentials.

  5. In the GENERAL ACCOUNT SETTINGS section, click on the checkbox Allow devices without AgentP to connect using this account ("agentless access") to activate or deactivate it.

    If this setting is turned on, the user represented by this account will be able to connect to the network using devices with AgentP installed as well as devices without AgentP installed.

    Important:
    This setting may be overridden at the group level, when configuring the specific access layer.
  6. Optional: In the Phone field, enter a contact phone number for the user represented by this account.

  7. To save your account settings, click on the Save button in the top right corner.

Result: The user will be able to access Portnox Cloud using their credentials from the external authentication repository.

Note:
You cannot select a group for the LDAP account. The group is assigned automatically based on the group you mapped to the directory user’s group. If no group is mapped to the directory user’s group, the account is assigned to the Default group. For more information about mapping groups, go to the following topic: Manage members of a group.

Create a MAC-based account

Use this type of account if you want to give network access to devices that do not work with the 802.1X protocol.

A MAC-based account can represent a single device or a group of devices. For better security and control, we recommend creating accounts for individual devices or small groups of closely related devices.

  1. In the Account name field, enter the name that identifies the device or group of devices represented by this account.

  2. Optional: In the Description field, enter the description for this account, for example, more details about the device or group of devices.

  3. In the Allowed MAC Addresses section, click on the Add new MAC address link to add a new device MAC address to this account.

    Your browser will open the CREATE NEW MAC ADDRESS window.

    1. In the MAC address field, type the MAC address of the device to add to the account.

      Portnox Cloud will check if this MAC address is correct.

    2. In the Description field, enter the description for this MAC address, for example, indicate the name or location of the particular device from a group of devices.
    3. In the Expiration field, select if this MAC address is to expire after a certain time: 12 hours, 24 hours, 7 days, 14 days, 30 days, or a custom period. If you select a custom period, select the period end date and time from the calendar.

      A device with an expired MAC address will not be allowed to connect.

    4. Click on the Save button to save your changes or click on the Cancel button to abandon all changes.

    The added MAC addresses will be shown as a list with options to Edit or Remove each as well as a search box. Start typing into the search box to show only MAC addresses that match the typed characters.

    You can also click on the filter icon ( ▼ ) to show only MAC addresses from selected vendors or MAC addresses with specific expiration.

  4. Alternatively, In the Allowed MAC Vendors section, click on the Import link to import lists of MAC addresses from files.

    Your browser will open the IMPORT MAC ADDRESSES window.

    • Drag the file containing MAC addresses from a file explorer window to the IMPORT MAC ADDRESSES window and drop it in the indicated area.

    • Alternatively, click on the Select file to import button to select the file from your local file system.

    The format of the text file is as follows, for each line, separating each field with semicolons:

    • MAC address

    • Description (optional)

    • Hours until expiration (optional, enter 0 or leave empty for no expiration date)

    MAC addresses can be in any of the following formats:

    • XX:XX:XX:XX:XX:XX

    • XX-XX-XX-XX-XX-XX

    • XXXX.XXXX.XXXX

    The imported MAC addresses will be shown as a list.

    • To show only selected MAC addresses, start typing in the search field ( 🔍 ).

    • To sort the list, click on the column heading.

    • To edit a MAC address, click on the edit icon ( ✎ ) in the row with the MAC address.

    • To delete MAC addresses, activate checkboxes in the leftmost column, and then click on the Delete button.

    • Click on the filter icon ( ▼ ) to show only MAC addresses from selected vendors, MAC addresses with specific expiration, or MAC addresses last seen.

  5. In the Allowed MAC Vendors section, click on the Add new MAC vendor link to add a group of devices from a specific vendor.
    Note:
    You can have both individual MAC addresses and MAC vendors added to the account at the same time.

    Your browser will open the IMPORT MAC ADDRESSES window.

    1. In the MAC vendor field, start typing the name of the vendor you want to add.

      Portnox Cloud will find it in its list of known vendors and display related MAC address ranges below.

    2. Click on the checkboxes next to the selected MAC address ranges that you want to add to this account.
    3. Click on the Save button to save your changes or click on the Cancel button to abandon all changes.

    The added MAC vendors and MAC ranges will be shown as a list with options to Edit or Remove each.

  6. In the Identity Pre-Shared Key (IPSK) section, activate the Enable IPSK checkbox if your access points support IPSK and if you want to secure your Wi-Fi connections using identity pre-shared keys for this account.

    Portnox Cloud will generate an identity PSK for this account. You can view it using the  👁  icon or copy it using the  ⧉  icon. You can click on the Regenerate IPSK link to regenerate it.

  7. In the IoT Device Trust section, click on the Enable IoT Device Trust checkbox to activate or deactivate it.

    If this setting is turned on, Portnox Cloud will use MAC spoofing protection by checking if the device fingerprint matches earlier identification. If it does not match, the device may have been the victim of a MAC spoofing attack.

    Note:
    To use this option, you must turn on IoT device fingerprinting. You can do that here: Settings > Services > GENERAL SETTINGS > Agentless IoT Device Fingerprinting

    If you activate this setting, select the action to be taken:

    • Send a warning alert if this account is suspected of being the victim of MAC spoofing. Devices under this account will still be allowed access to the corporate network.

    • Block devices from accessing the corporate network and send an alert if this account is the victim of MAC spoofing.

    For more information on setting up MAC spoofing protection, read the following topic: Turn on MAC address spoofing protection by IoT fingerprinting.

  8. In the VoIP Assignment section, click on the Assign device to voice VLAN for successful authentication checkbox to activate or deactivate it.

    If this setting is turned on, you can configure an access port with an attached IP phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. Cisco Meraki switches require the following attribute pairs within the Access-Accept frame to put devices on the voice VLAN: Cisco-AVPair="device-traffic-class=voice".

  9. In the Group assignment field, select the group to assign this account to.

  10. To save your account settings, click on the Save button in the top right corner.

Note:
There is a limit of 12800 MAC addresses per MAC-based account. When an account reaches this limit, you cannot add more MAC addresses through the web portal or the REST API. To fix this, remove any unused MAC addresses to reduce the total below the 12800 limit. Alternatively, create a new MAC-based account with the same configuration as the one that has reached the limit, and add the extra MAC addresses to the new account.
Note:
By default, if a device doesn’t connect to the network for 90 days, its MAC address is removed from the MAB account. You can change this period or disable this option here: Settings > Services > GENERAL SETTINGS > Inactive MAC-addresses purge interval > Edit. This does not mean that the device will be removed from the Portnox Cloud account. It means that if the device has been inactive for the configured period, and it tries to authenticate again after that period using its MAC address, it will no longer be recognized. The process for the Inactive MAC-addresses purge function is as follows:
  • You add a MAC address to a MAB account – the day when you do this counts as day 1.
  • The day counter increases every day at midnight tenant-time,
  • Any time the device with the MAC address authenticates, the counter resets to 1.
  • The moment that the counter reaches the configured limit, the MAC address is removed from the MAB account.
  • The device with the MAC address is no longer in the MAB account so it cannot authenticate.

Create a contractor account

Use this type of account if you want to give network access to users that do not belong to the organization.

Important:
You cannot use contractor accounts to enroll in AgentP.

  1. In the Contractor email field, enter the email address of the contractor.

    Portnox Cloud will accept emails from all domains, including free domains such as gmail.com.

  2. Optional: In the Description field, enter the description for this account, for example, the user’s first and last name.

  3. Optional: Activate the Use an alias when accessing the corporate network checkbox and fill in the Alias field with a unique alias.

    Some devices do not accept the @ special character, such as for TACACS+ authorization. In such cases, you can create and use an alias instead of the email address for the login part of the credentials.

  4. In the NETWORK ACCESS CREDENTIALS section, select the Password expiration option:

    • Never expire: The password will never expire.

    • Expire on a selected date and time: The password will expire on the selected date and time. Click on the field next to this option to select the date and time from the calendar.

  5. In the GENERAL ACCOUNT SETTINGS section, click on the checkbox Allow devices without AgentP to connect using this account ("agentless access") to activate or deactivate it.

    If this setting is turned on, the user represented by this account will be able to connect to the network using devices with AgentP installed as well as devices without AgentP installed.

    Important:
    This setting may be overridden at the group level, when configuring the specific access layer.
  6. In the Group assignment field, select the group to assign this account to.

  7. Optional: In the Phone field, enter a contact phone number for the user represented by this account.

  8. To save your account settings, click on the Save button in the top right corner.

    Portnox Cloud will send a request to create a password to the contractor’s email address.

  9. The contractor must then click on the Set account password button to set their password.

    Note:
    You can set password complexity for Portnox and contractor accounts by accessing: Settings > Services > GENERAL SETTINGS > Password policy for Portnox accounts

Result: The contractor will be able to access Portnox Cloud using their email address and the password that they set.

Create a device-type account

Use this type of account if you want to give network access to a large number of similar devices that do not work with the 802.1X protocol.

Device-type accounts let you define rules based on device properties such as type, vendor, model, and operating system. Similar to MAC-based addresses, they are meant for devices that cannot authenticate using the 802.1X protocol, such as IoT devices.

Important:
You can only create rules for devices that are already known to Portnox Cloud and have device properties.
  1. In the Account name field, enter the name that identifies the device or group of devices represented by this account.

  2. Optional: In the Description field, enter the description for this account, for example, more details about the device or group of devices.

  3. In the ALLOWED DEVICE TYPE section, click on the Devices must pass MAB authentication and meet the defined device properties to be assigned to this account checkbox to activate or deactivate it.

    If this setting is turned on, only the devices that pass the MAC authentication bypass can be assigned to this account. For more information about configuring the MAC authentication bypass, see the following topic: Onboarding with MAC addresses.

  4. If you activated the option in the previous step, click on the Enable IoT Device Trust checkbox to activate or deactivate it.

    If this setting is turned on, Portnox Cloud will use MAC spoofing protection by checking if the device fingerprint matches earlier identification. If it does not match, the device may have been the victim of a MAC spoofing attack.

    Note:
    To use this option, you must turn on IoT device fingerprinting. You can do that here: Settings > Services > GENERAL SETTINGS > Agentless IoT Device Fingerprinting

    If you activate this setting, select the action to be taken:

    • Send a warning alert if this account is suspected of being the victim of MAC spoofing. Devices under this account will still be allowed access to the corporate network.

    • Block devices from accessing the corporate network and send an alert if this account is the victim of MAC spoofing.

  5. Under the Allow devices where heading, build the logical tree of conditions to allow device access:

    • Click on the AND/OR button in a logical branch to change the logical condition.

    • Click on the + button in a logical branch and select Add rule to add another condition to the current logical branch.

    • Click on the + button in a logical branch and select Add And/Or block to add a sub-branch to the current logical branch.

    • In the first column of a logical rule, select Type, Vendor, Model, or OsName to set the parameter to be tested in the condition.

    • In the second column of a logical rule, select Contains, Equals, or NotEquals to set the comparison operator.

    • In the third column of a logical rule, select from the list of available values for the comparison.

  6. Click on the Refresh matches button to show the PREVIEW MATCHING DEVICE(S) section.

    Note:
    The Refresh matches button becomes active only after you select the group in the next step.
  7. In the Identity Pre-Shared Key (IPSK) section, activate the Enable IPSK checkbox if your access points support IPSK and if you want to secure your Wi-Fi connections using identity pre-shared keys for this account.

    Portnox Cloud will generate an identity PSK for this account. You can view it using the  👁  icon or copy it using the  ⧉  icon. You can click on the Regenerate IPSK link to regenerate it.

  8. In the VoIP Assignment section, click on the Assign device to voice VLAN for successful authentication checkbox to activate or deactivate it.

    If this setting is turned on, you can configure an access port with an attached IP phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. Cisco Meraki switches require the following attribute pairs within the Access-Accept frame to put devices on the voice VLAN: Cisco-AVPair="device-traffic-class=voice".

  9. In the Group assignment field, select the group to assign this account to.

  10. To save your account settings, click on the Save button in the top right corner.