Onboard IoT devices by creating MAC-based accounts automatically

In this topic, you will learn how to configure Portnox™ Cloud to create MAC-based accounts automatically for any new devices connecting to the network.

Important: To be able to onboard IoT devices using their MAC addresses, your NAS must support MAB authentication.
Important: We recommend to activate automatic device registration after onboarding all company devices. Otherwise, any new device (not just IoT) will be automatically added to the network as described below.

You can use this method to connect IoT devices to wired or Wi-Fi networks. The procedure is the same for both network types.

Activate automatic device registration

Before you activate automatic device registration, make sure that the Default group allows MAC-based authentication for all relevant networks (wired and specific Wi-Fi). For more information about creating and editing the networks in the group, see the following topic: Create a group.

  1. In the Cloud portal top menu, click on the Settings option.

  2. In the Cloud portal left-hand side menu, click on the Services > GENERAL SETTINGS > MAC-address-based onboarding option.

  3. In the right-hand side pane, under the MAC-address-based onboarding heading and click on the Edit link below.

  4. Click on the MAC Authentication Bypass Onboarding checkbox to activate it.

    If this setting is turned on, for each new device that connects to the network, Portnox Cloud will do the following:

    • Create a MAC-based account. The name of the account will be the name of the network adapter vendor, which is automatically identified using the MAC address.

    • Assign the account to the Default group.

    • Add the device to this MAC-based account.

      • If agentless IoT device fingerprinting is on (Services > GENERAL SETTINGS > Agentless IoT Device Fingerprinting), the name of the device will be automatically identified using the MAC address of its adapter.

      • If agentless IoT device fingerprinting is off, the name of the device will be the MAC address of its adapter.

    As a result, the device will immediately have access to the network with privileges of the Default group.

  5. Optional: Click on the Quarantine device in VLAN checkbox to activate it and enter the VLAN number in the adjacent field.

    If this setting is turned on, new devices that connect to the network will be quarantined in the selected VLAN and the automatically created accounts will be treated as quarantine accounts.

    To remove the device from quarantine and let it access the network, you have to manually add the device’s MAC address to another MAC-based account and delete the quarantine account.

  6. Click on the Save button to save your changes or click on the Cancel button to abandon all changes.

    After you click on one of the buttons, Portnox Cloud will exit the edit mode.

Note: By default, if a device doesn’t connect to the network for 90 days, its MAC address is removed from the MAB account. You can change this period or disable this option here: Settings > Services > GENERAL SETTINGS > Inactive MAC-addresses purge interval > Edit. This does not mean that the device will be removed from the Portnox Cloud account. It means that if the device has been inactive for the configured period, and it tries to authenticate again after that period using its MAC address, it will no longer be recognized. The process for the Inactive MAC-addresses purge function is as follows:
  • You add a MAC address to a MAB account – the day when you do this counts as day 1.
  • The day counter increases every day at midnight tenant-time,
  • Any time the device with the MAC address authenticates, the counter resets to 1.
  • The moment that the counter reaches the configured limit, the MAC address is removed from the MAB account.
  • The device with the MAC address is no longer in the MAB account so it cannot authenticate.

Connect the IoT device to the network managed by Portnox Cloud

  1. Configure the IoT device to connect to the network.

    Use the web interface or the access console of the IoT device to configure network access.

  2. Connect the IoT device to the network.

    If the IoT device asks for credentials to access the network, enter any credentials. First, your NAS will try to authenticate your IoT device using credentials, and if that fails, the NAS will check if it can authenticate the IoT device using its MAC address.

  3. Check the Devices page to make sure the connection is successful.
    1. In the Cloud portal top menu, click on the Devices option.
    2. In the displayed list of devices, find an entry representing the IoT device.

      You can optionally use the LAST CONNECTED filter to see devices that connected today or the NETWORK tab to see devices that are now connected.

    Result: The IoT device is connected to the network.

    • If agentless IoT device fingerprinting is on:

    • If agentless IoT device fingerprinting is off: