Portnox Cloud: NAC Product Review

Published

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Portnox Cloud offers network access control (NAC) as a cloud-hosted SaaS solution that enables rapid deployment of basic NAC capabilities. Although the capabilities are more limited than some NAC competitors, the quick deployment and reduced IT labor costs make Portnox Cloud an attractive solution for many.

To compare Portnox Cloud against competitors, see our complete list of top network access control (NAC) solutions.

Who Is Portnox?

Portnox is a private company that specializes in network access security with nearly 1,000 customers and closed a Series A fundraising with Elsewhere Partners for $22 million in 2022. Founded in 2007, Portnox began selling a software-based NAC solution to be used in local networks. Since then Portnox continued to add capabilities, launched the first cloud-native NAC in 2017, and now offers a NAC SaaS solution, Portnox Cloud.

Portnox Cloud

Portnox Cloud offers a cloud-native SaaS NAC solution that can be implemented in three different levels:

  • RADIUS-as-a-Service provides quick, effective, and basic network access control using cloud-native Remote Authentication Dial-In User Service (RADIUS) protocol
  • TACACS+-as-a-Service provides cloud-native, centralized Authentication, Authorization, and Accounting (AAA) using the Terminal Access Controller Access-Control System Plus (TACACS+) protocol that helps to manage network equipment
  • ZTNA-as-a-Service (formerly known as Portnox Clear) provides cloud-native Zero Trust Network Access (ZTNA) for all devices and users

Portnox Cloud works on all types of connections (wired, WiFi, virtual private network [VPN]). RADIUS and TACACS+ apply to specific types of endpoints, but the ZTNA-as-a-Service product works for all kinds of devices, including Bring-Your-Own-Device (BYOD) endpoints, Internet-of-Things (IoT) devices, operations technology (OT), industrial control systems (ICS), and industrial IoT (IIoT).

While Portnox Cloud is the current focus of Portnox, they also continue to offer on-premises Portnox Core. This self-managed NAC solution loses many of the advantages of SaaS (low maintenance, rapid setup, etc.) but allows organizations to maintain full control over the deployment.

Agents

Portnox does not require an agent. Agentless options use root certificates, simple certificate enrollment protocol (SCEP), Microsoft InTune integration, and EAP-TLS 802.1x authentication to gather endpoint information for reporting and enforcement.

Portnox Cloud’s ZTNA-as-a-Service provides an option for AgentP, an agent that installs on Windows, macOS, iOS, Android, or Linux. The agent does not make any changes to the endpoint, so it will be suitable for BYOD, but it provides valuable information into the status of the device such as location data, dangerous applications, jail-broken devices, and OS versions.

Applicable Metric

As a cloud-based SaaS application, Portnox Cloud offers NAC protection for unlimited devices and users. 

Security Qualifications

Portnox hosts their services within Microsoft’s Azure and shares the inherent storage and physical access certifications achieved by Microsoft. For example, encryption keys, administrator passwords, and other critical information are stored in the Azure Key Vault in FIPS 140-2 Level 2-validated hardware security modules (HSMs). Portnox publishes their Security Architecture and Principles for customer review and Portnox Cloud (formerly known as Clear) holds System and Organization Controls (SOC) 2 Type II certification for the NAC-as-a-Service platform.

Features

  • Portnox RADIUS+ Network Authentication
    • Implements in under 30 minutes with no installations required
    • Tried-and-true technology using the Remote Authentication Dial-In User Service protocol and built-in RADIUS proxy and RADIUS Forwarding
    • Does not require passwords when using device MAC address characteristics (AKA: MAC Authentication Bypass) as an authentication factor
    • Selectable access layers
    • Integrates with directory services (Active Directory, LDAP)
    • Easy-to-define security groups and role-based authentication
    • Anti-flood protection against DDoS attacks
    • Location-based access policies
  • Portnox TACACS+ Network Device Administration
    • Centralizes authentication for multiple user databases such as Open LADAP, Active Directory (AD), Azure AD, Google Workspace, Okta, and more
    • Enables granular authorization with varying levels of privilege, services allowed, commands, and more
    • Consolidates network accounting to track user activity (identities, start/stop times, executed commands, etc.) across all network devices to streamline audits and reporting
    • Integrates via RESTful API with security information and event management (SIEM) solutions
    • Customizable risk policy based on the mode of access (wired, VPN), location, requested network device, etc.
  • Portnox ZTNA
    • Vendor agnostic zero trust network access control
    • Detects and quarantines non-compliant devices based on firewalls, antivirus, applications, USB drives, and more
    • Enables device remediation for non-compliant devices
    • Guest self-onboarding and up to 50 daily guest accounts; SMS-based and sponsor-based onboarding also supported 
    • Device assessment using Portnox AgentP and agentless assessment
    • Automated discovery of all devices
    • Monitoring of traffic and monitoring-only mode
    • Multi-region RADIUS redundancy

Pros

  • Fully cloud-native
  • No hardware required to maintain, update, and manage, although virtual machines for local RADIUS backup and local TACACS+ record keeping may be necessary for full functionality
  • Maintenance free and no need for backups or special security
  • Covers wired, WiFi, and VPN network access
  • Real time visibility of access attempts into the network
  • Centralized administration, control, authentication, and reporting
  • Applies to all devices from managed laptops to BYOD mobile phones or even security cameras (IoT) or heat sensors (OT)
  • Network hardware agnostic and doesn’t require network redesign
  • A full range of options from basic NAC to ZTNA
  • Low entry price when considering the reduced total cost of ownership from reduced labor to maintain, update, and administer the NAC solution

Cons

  • Screen lags can occur for congested connections
  • Inconsistent port statuses have been noted by customers between switches and Portnox
  • Lacks features compared to other competitors, particularly for the two entry-level options
  • Maintains a smaller database of IoT devices, but offers an add-on AI-powered IoT fingerprinting solution
  • May be more expensive than self-administered options for larger enterprises
  • SaaS removes direct control from the organization

Intelligence

The Portnox Cloud ZTNA solution integrates with SIEM and other security tools.

Delivery

Portnox Cloud is available as a SaaS product. However, local RADIUS instances can be established to maintain protection even when internet connections are broken. The Portnox TACACS+ deployment also requires a virtual appliance to be downloaded and installed in monitored local networks to ensure proper auditing trails.

Pricing

Portnox offers a 30-day free trial and some of the most transparent pricing in the NAC market:

  • Portnox RADIUS+ Network Authentication
    • Up to $2 per device per month
    • $1,000 per month minimum subscription
    • Available volume discounts
    • Optional add-on: Certificate Authority Services 
    • 14-day archived device data retention
    • 10 hour, 5 day a week support (excluding holidays)
  • Portnox TACACS+ Network Device Administration
    • $200 per admin per month
    • 1 admin and 100 device free account available without expiration
  • Portnox ZTNA
    • Up to $5 per device per month
    • $1,000 per month minimum subscription
    • Available volume discounts
    • 60-day archived device data retention
    • 24 x 7 support

Several add-on packages are also available, such as “white-glove” managed onboarding service available for $3,500, extended guest account packages, or extended device data retention for $0.99 per device per year for each additional 30 (RADIUS+) to 45 (ZTNA) days. Discounts are also available for education and non-profit customers.

Bottom Line: Best Option for Turnkey NAC Deployment

Organizations that need quick deployment or lack the IT personnel to install and manage a NAC should consider Portnox Cloud’s NAC SaaS offering. The rapid deployment and decreased IT support requirements make this product a strong contender for organizations of all sizes.

Chad Kime Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

This field is required This field is required

Get the free Cybersecurity newsletter

Strengthen your organization’s IT security defenses with the latest news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

This field is required This field is required