How does Portnox Cloud know the device make/model?

When a device connects to Portnox Cloud using AgentP, AgentP sends system information to Portnox Cloud, which includes the device name and type (if found in the device’s system information). Therefore, when viewing the device in the device grid, AgentP devices have the most information available, and this information persists even if AgentP was uninstalled. Similar information may also be provided through LDAP fields for the device in case of LDAP-based onboarding.

Additionally, when any device connects to the network protected by Portnox Cloud, Cloud attempts to automatically recognize the device make/model on the basis of two mechanisms:

  • MAC addresses: The first three bytes of the MAC address are called the vendor address component and they uniquely identify the vendor of the equipment. The last three bytes are used by every vendor differently. Portnox uses its own proprietary method of examining MAC addresses that is called MAC address clustering, which not only gives information about the vendor but also lets Portnox identify the make and model of the device.

    Note: Many devices allow you to spoof the MAC address, for example, you can easily change the MAC address of any network adapter on a Windows computer. The spoofed address may specify another vendor and another device type. Therefore, MAC address information is not fully reliable.

  • DHCP fingerprinting: Portnox Cloud uses DHCP fingerprinting to prevent MAC spoofing and to gather more reliable information about the device. DHCP requests do not include information about the vendor, device type, or model, but their structure is unique and different for most devices.

    Portnox Cloud uses specialist DHCP fingerprinting databases in partnership with other security providers. This lets Portnox Cloud submit the unique DHCP fingerprint and get information about most probable device make/model from those databases.

    DHCP fingerprints cannot be spoofed like MAC addresses, and therefore if a DHCP fingerprint is found in a database as an exact match, the information about the device make/model is reliable. However, there are rare cases when less common devices may not be recognized in DHCP fingerprint databases, or where DHCP fingerprints of two devices are identical.

Portnox Cloud uses both the MAC address information and the DHCP fingerprinting information to specify the device make/model. It is thanks to using both of them at the same time, that this information can be as precise as possible.

However, there are cases when none of the above information is available: there is no AgentP or LDAP onboarding to provide the information, and neither the MAC address nor the DHCP databases provide specific information about the device’s make, model, or type. In such situations, it is displayed in the device grid using its MAC address, and any other information is described as unknown.

Note: The device type can change during the first connection of the device. This is because before the device fully connects to the network, the only piece of information available for fingerprinting is the MAC address. After the device connects to the NAS, Portnox Cloud can perform full fingerprinting.