Onboard a Windows device to a wired network with certificates

In this topic, you will learn how to onboard using certificates, the self-onboarding portal, a Windows 10 computer, and a wired network managed by Portnox™ Cloud.

To onboard to a network using a certificate, you need to generate, download, and install the user/device certificate, and then configure your operating system to connect to the network using this certificate. You can configure your operating system semi-automatically using provisioning or manually.

If you already downloaded and installed the certificate for the same device, for example, to authenticate with another type of network, you don’t need to install the certificate again and you should skip the relevant steps.

Download and install the certificate

In this section, you will generate, download, and install the user certificate on your device.

  1. Enter the URL of the self-onboarding portal in your browser.

    To learn how to set up the self-onboarding portal and obtain the URL, see the following topic: Set up the self-onboarding portal.

  2. In Step 1, select the third option: CLEAR account certificate management and click on the Next button.

  3. In Step 2, you can select the Corporate email address option or the Corporate username and password option. Select the Corporate email address option if Portnox Cloud manages your user repository. Select the Corporate username and password option if you have integrated Cloud with an external repository. Proceed with the following steps depending on your choice.
  4. If you have chosen Corporate email address:
    Important: Only choose the Corporate email address option if Portnox Cloud manages your user repository. Cloud manages the user repository if it’s not integrated with any external repositories such as Microsoft Azure (Entra ID), Google Workspace, or Okta Workforce Identity.
    1. In the Email field, enter your corporate email address and click on the SIGN IN button.

      If you activate the Automatically generate secure password and send me by email checkbox, you will receive a separate email with a Portnox Cloud password. If so, you should use this password in the next steps.

    2. Open your email client and find the email received from Portnox Cloud containing a one-time activation code. Copy this code to the clipboard.

      If you activated the Automatically generate secure password and send me by email checkbox in the previous step, do not confuse the password email with the code email. They are two separate emails.

    3. In the self-onboarding portal, paste the code in the Activation code field and click on the CONFIRM button.

  5. If you have chosen Corporate username and password:
    1. Click on the tile that represents the authentication repository you want to use to sign in. If you want to use Okta Workforce Identity, enter your Okta login and password and click on the SIGN IN button.

      Note: Options depend on the repositories integrated with Portnox Cloud: Microsoft Azure (Entra ID), Google Workspace, and/or Okta Workforce Identity.
    2. Complete the steps needed to sign in. These steps depend on the chosen authentication repository.
  6. Click on the OBTAIN CERTIFICATE button to download the user certificate generated for your device.

    Note: If you want to replace a certificate you created earlier, for example, because the old one expires soon, click on the REISSUE CERTIFICATE button instead.
  7. Double-click on the downloaded certificate file (for example, kosh.p12) to install it:
    1. In the Certificate Import Wizard, select the Current User option and click on the Next button.

    2. In the File to import step, click on the Browse button to select the downloaded certificate file, and click on the Next button.

    3. In the Private key protection step, keep the Password field empty and click on the Next button.

      You can select the advanced option checkboxes as needed.

    4. In the Certificate Store step, select the Automatically select the certificate store based on the type of certificate option and click on the Next button.

    5. In the final step of the wizard, click on the Finish button to confirm your choices.
    6. In the Security Warning window, click on the Yes button.

Result: You downloaded and installed the certificate.

Configure the connection with provisioning

In this section, you will use the self-onboarding portal to generate a provisioning file that configures your network for you.

You only need to configure your network once so if you do the steps in this section, you should skip the next section.

  1. Go back to Step 1 of the self-onboarding portal by clicking on the Back link.
  2. In Step 1, select the second option: CLEAR account activation and Device provisioning and click on the Next button.

    Important: The wired network in the group that the account belongs to must be configured for EAP-TLS authentication. For more information, see the following topic: Advanced network configuration.
  3. Follow the same steps as above to authenticate using your corporate email or corporate username and password.
  4. Click on the tile in the Wired Enrollment Profile section that represents the Windows operating system to download the configuration file ProfileInstaller.exe.

  5. Run the downloaded ProfileInstaller.exe file.

    Windows configures your Ethernet adapter.

Result: Your Windows 10 computer is connected to a wired network managed by Portnox Cloud.

Troubleshooting information: See the following topic: How to troubleshoot typical device onboarding issues.

Configure the connection manually

In this section, you will manually configure your network to use the installed user certificate.

You only need to configure your network once so if you did the steps in the previous section, you should skip this section.

Note: The user interface and the names of options may differ slightly for other Windows versions.
  1. Open the Windows 10 Network and Sharing Center window (Control Panel > Network and Internet > Network and Sharing Center) and click on the Change adapter settings option.

  2. Right-click on the Ethernet connection that represents the adapter connected to the wired network managed by Portnox Cloud and select the Properties option from the pop-up menu.

  3. In the Ethernet Properties window, click on the Authentication tab and in the Choose a network authentication method field, select Microsoft: Smart Card or other certificate. Then, click on the Settings button.

    Note: If there is no Authentication tab, open the Windows Services app, find the Wired AutoConfig service, Start it, and in its Properties, set Startup type to Automatic.
  4. In the Smart Card or other Certificate Properties window, select the Use a certificate on this computer option. Then, activate the Verify the server’s identity by validating the certificate checkbox. Finally, in the Trusted Root Certification Authorities list, find and activate the DigiCert Trusted Root G4 checkbox and click on the OK button.

    Important: We recommend that in the Trusted Root Certification Authorities list, you find and activate all DigiCert certificates as well as the clear-rad.portnox.com certificate, if present. This will help you avoid any changes in case of necessary certificate updates in the future.
  5. Click on the OK button to close the Smart Card or other Certificate Properties window. Click again on the OK button to close the Ethernet Properties window.

Result: Your Windows 10 computer is connected to a wired network managed by Portnox Cloud.

Troubleshooting information: See the following topic: How to troubleshoot typical device onboarding issues.