How to onboard IoT devices using MAC-address-based onboarding

In this topic, you will find a suggested process for onboarding IoT devices, when their full inventory is not known.

This topic explains how to use MAC-address-based onboarding to enroll IoT devices (MAC-authenticating devices) into Portnox Cloud when you do not have a complete inventory of these devices. The process is designed to run in two phases: the first phase is defining the accounts, and the second phase is the live enrollment of devices during migration to Portnox Cloud, when the RADIUS and 802.1X configurations are applied to the switches or access points.

Most customers do not have a full list of their IoT devices. To address this, Portnox Cloud provides MAC-address-based onboarding. This feature lets you enroll devices over a specific period, such as during a site migration. Enable this feature just before adding the 802.1X configuration to a switch or access point, and disable it once all IoT devices at the site are accounted for.

When MAC-address-based onboarding is enabled, any IoT device that connects is automatically enrolled in an account. Accounts are generated based on the device’s MAC address OUI. You can then assign these accounts to the appropriate groups and manage them via 802.1X according to your policies. The steps below describe best practices for using this feature effectively.

Phase 1: Identification

This phase is designed to identify all types of IoT devices. Use one example of each device type to create its account and assign it to the appropriate group.

  1. Enable MAC-address-based onboarding. In Portnox Cloud, go to Settings > General Settings > MAC-address-based onboarding.
    1. Click on the Edit link.
    2. Activate the Grant access to any device... checkbox.
    3. Click on the Save button.
  2. Enable 802.1X/MAB on a switch and at least one switch port.
  3. Note the MAC address of the test device.
  4. Connect the device to the port configured with 802.1X/MAB.
  5. Monitor alerts for account creation.
  6. Click on the Devices option in the top menu and and search for the MAC address.
  7. Verify that the account to which the device was assigned is created.
  8. Edit this account by clicking on the  🗎  icon in the right-hand side pane.
    1. Change the Account display name to a value that represents the device type, such as IP phones, Printers, or Security devices.
    2. Click on the Save account button.
  9. Click on the Policies option in the top menu.
    1. Create an access control policy for the device type represented by the account above, if needed.
  10. Click on the Groups option in the top menu.
    1. Click on the Add group button.
    2. Fill in the Group name (should reflect the account created above).
    3. In the Device global settings section, activate the Unlimited checkbox.
    4. Configure wireless and wired resources as required.
    5. Click on the Save button.
  11. On the Groups screen, in left-hand side menu, click on the ACCOUNT MEMBERSHIP option.
    1. Click on the PORTNOX REPOSITORY option.
    2. In the All accounts pane, search for the account that you just created.
    3. Activate the checkbox next to the account and move it to This group’s accounts.
    4. Click on the Save button.
  12. On the Groups screen, in the left-hand side menu, click on the POLICY ASSIGNMENTS option.
    1. If required, make the changes needed to assign the policy above.
    2. Click on the Save button.
  13. Repeat the previous steps as needed to accommodate remaining examples of IoT devices.
  14. Enable MAC-address-based onboarding. In Portnox Cloud, go to Settings > General Settings > MAC-address-based onboarding.
    1. Click on the Edit link.
    2. Deactivate the Grant access to any device... checkbox.
    3. Click on the Save button.

Phase 2: Capture

This phase is designed to capture all IoT devices based on the account and group structure defined earlier. All devices must share the same OUI. This is usually not an issue, but exceptions will be addressed if they occur. This phase happens during a migration or cut-over to Portnox Cloud.

  1. Enable MAC-address-based onboarding. In Portnox Cloud, go to Settings > General Settings > MAC-address-based onboarding.
    1. Click on the Edit link.
    2. Activate the Grant access to any device... checkbox.
    3. Click on the Save button.
  2. Enable 802.1X/MAB on a switch and at least one switch port.
  3. Monitor alerts for account creation and exceptions.
    1. If an IoT device enrolls and is not assigned to one of the pre-configured accounts, it will be assigned to an account with the vendor name of the MAC address.
    2. Investigate what this device is, and assign it to the proper group or delete the account and add the MAC address to the appropriate account.
  4. When you no longer see any live MAB authentications occurring outside of the expected groups in the alerts, the onboarding is complete.
  5. Disable MAC-address-based onboarding. In Portnox Cloud, go to Settings > General Settings > MAC-address-based onboarding.
    1. Click on the Edit link.
    2. Deactivate the Grant access to any device... checkbox.
    3. Click on the Save button.