Top Misconceptions About Passwordless Authentication Debunked
In a world where passwords are constantly breached, reused, and phished, the cybersecurity industry is shifting toward passwordless authentication—a method ...
Read More 
Networks
Applications
Infrastructure
Integrations
The best security investment you'll make.
Unified zero trust access control & security essentials. All from the cloud. No BS.
Secure Your Networks
Secure Your Applications
Secure Everything
Secure Your Infrastructure
| Features | Network AuthenticationContact Us for Pricing | Network Access
Contact Us for Pricing | Conditional
Contact Us for Pricing | Unified
Contact Us for Pricing |
|---|---|---|---|---|
| Cloud RADIUS Services | ||||
| Wireless, wired, VPN access | ✓ | ✓ | ✓ | |
| Anti-flood protection services | ✓ | ✓ | ✓ | |
| RadSec support | ✓ | ✓ | ✓ | |
| RADIUS forwarding rules (eduroam support) | ✓ | ✓ | ✓ | |
| Authentication Services | ||||
| Role-based authentication | ✓ | ✓ | ✓ | ✓ |
| MAC authentication bypass | ✓ | ✓ | ✓ | |
| Account lifecycle synchronization | ✓ | ✓ | ✓ | ✓ |
| Passwordless authentication | ✓ | ✓ | ✓ | |
| Certificate authority services | $1 / device | ✓ | ✓ | ✓ |
| SAML 2.0 authentication Services | ✓ | ✓ | ||
| OpenID Connect | ✓ | ✓ | ||
| Network Security | ||||
| 802.1X authentication | ✓ | ✓ | ✓ | |
| Dynamic VLAN / ACL assignment | ✓ | ✓ | ✓ | |
| Portnox AgentP | ✓ | ✓ | ✓ | |
| Agentless posture assessment | ✓ | ✓ | ||
| Application Security | ||||
| Secure SaaS application access (CASB) | ✓ | ✓ | ||
| Secure access to on-prem applications | ✓ | ✓ | ||
| Endpoint risk & posture assessment | ✓ | ✓ | ||
| Application specific risk profiles | ✓ | ✓ | ||
| Policy enforcement & automated remediation | ✓ | ✓ | ||
| Audit tracking & logging | ✓ | ✓ | ||
| Guest Access | ||||
| Guest accounts | Up to 50 guests per day | Up to 100 guests per day | ||
| Self-onboarding for guests | ✓ | ✓ | ||
| Sponsor-based onboarding | ✓ | ✓ | ||
| SMS-based onboarding | ✓ | ✓ | ||
| Control | ||||
| Role-based access policies | ✓ | ✓ | ✓ | |
| Location-based policies | ✓ | ✓ | ✓ | |
| Change of Authorization (CoA) | ✓ | ✓ | ||
| Device access geo restrictions | ✓ | ✓ | ✓ | |
| Visibility | ||||
| Monitoring-only mode | ✓ | ✓ | ✓ | |
| Archived devices data retention | 14 days | 45 days | 30 days | 60 days |
| Dynamic group assignment per device type | ✓ | ✓ | ✓ | |
| IoT profiling | ✓ | ✓ | ✓ | |
| IoT device trust | ✓ | ✓ | ||
| Intune Integration for advanced device properties | ✓ | ✓ | ||
| Jamf Integration for advanced device properties | ✓ | ✓ | ||
| Onboarding | ||||
| Device provisioning services | ✓ | ✓ | ||
| Device self-onboarding & activation services | ✓ | ✓ | ||
| Certificate enrollment services | ✓ | ✓ | ||
| Onboarding Services | ✓ | ✓ | ✓ | ✓ |
| Reporting | ||||
| Device visibility report | ✓ | ✓ | ✓ | ✓ |
| Security compliance report | ✓ | ✓ | ✓ | |
| Guest utilization report | ✓ | ✓ | ||
| Additional Capabilities | ||||
| RADIUS proxy - local failover | ✓ | ✓ | ✓ | |
| Multi-regional redundancy | ✓ | ✓ | ✓ | |
| TACACS+ / AAA | 1 admin / 100 devices | 2 admin / 200 devices | 1 admin / 100 devices | 3 admin / 300 devices |
| SIEM | On prem/SaaS | On prem/SaaS | On prem/SaaS | On prem/SaaS |
| MS Intune | ✓ | ✓ | ✓ | |
| MFA admin access (w/ SMS) | ✓ | ✓ | ✓ | |
| MFA admin access (w/ Authenticator App) | ✓ | ✓ | ✓ | |
| RESTful API | ✓ | ✓ | ✓ | |
| Entra (Azure) AD/Google Workspace/Active Directory | ✓ | ✓ | ✓ | ✓ |
| Okta | ✓ | ✓ | ✓ | |
| Extended device data retention | Add 30 days - 99¢ / device / year | Each additional 30 days - 99¢ / device / year | Add 30 days - 99¢ / device / year | Each additional 30 days - 99¢ / device / year |
| 24x7x365 Support* | Elite Services Customers | Elite Services Customers | Elite Services Customers | Elite Services Customers |
| 24x5 Standard Support | ✓ | ✓ | ✓ | ✓ |
| Add-on Packs | ||||
| Extended guest package (50) | $ | $ | $ | |
| Additional SMS package (1000) | $ | $ | $ | |
| TACACS+ / AAA | $ | $ | $ |
TACACS+
$200 USD/Admin/Month
| Authentication Services | Authorization Services | Accounting Services |
|---|---|---|
| Azure AD | Privilege Levels | User Identities |
| Google Workspace | Session Timeouts | Start / Stop Times |
| Microsoft AD | Command Restrictions | Executed Commands |
| OKTA | Allowed Services | Packet Transfers |
| Password Encryption | Custom Attributes |
We want our partners to grow their businesses alongside us.
Our partners are an extension of our business. As such, Portnox’s Partner Program offers special pricing and incentives designed to award those partners committed to achieving our shared goal of securing network access for more and more companies around the world.
Don't take our word for it.
"Easy to setup, deploy, manage and support."
Jun 13, 2024
Verified User in Financial Services
"Portnox Powerhouse"
Jun 14, 2024
Verified User in Manufacturing
"Seamless integration with Microsoft Intune to extend a ZTNA Network"
Jun 18, 2024
Kyle N.
IT Supervisor
IT Supervisor
"Vital Piece of the Security Puzzle"
Jun 12, 2024
Verified User in Financial Services
Frequently Asked Questions (FAQs)
General
Subscription terms are available in 12, 24, and 36 months. Additional discounts are available for terms longer than 12 months.
Yes, please contact Sales for information on volume discounts that may be applicable to you and your organization.
Absolutely! Not only is it possible, it is also how most customers deploy Portnox in their environments.
We strive to ensure that you have the absolute best possible onboarding experience, regardless of which package you may purchase. However, some organizations may need some additional assistance or maybe don’t have time to invest in configuring a zero trust access control solution. If you require additional onboarding assistance, please contact our sales department. They can help you determine what is the best onboarding tier for your needs.
Yes. Portnox provides special educational discounts for qualifying K-12 and higher education institutions. Please contact Sales for more information.
Yes. Portnox Cloud RADIUS is deployed globally with high availability and low latency in mind. RADIUS servers are available across multiple continents, ensuring optimal performance and compliance for organizations worldwide.
Server regions include:
- United States
- Europe
- Asia/Pacific
This geographic distribution supports compliance with data residency requirements and delivers high-speed authentication responses regardless of user or device location.
RADIUS
No. Portnox's cloud RADIUS is just that - fully cloud-native, and can be deployed at scale directly through the platform without needing any additional hardware to be installed on-site.
Today, users can integrate Azure Active Directory and Microsoft Active Directory with Portnox RADIUS. The Portnox Cloud also boasts its own proprietary directory should you not currently utilize one of these services.
Relying on the IEEE 802.1X authentication protocol, Portnox RADIUS offers role-based authentication and MAC Authentication Bypass (MAB) as standard authentication options. The solution also offers account lifecycle synchronization out-of-the-box.
Absolutely! Thanks to our innovative IoT fingerprinting, we can identify over 260,000 unique IoT devices across 27,000 different brands with more being added daily. We use a variety of methods including MAC address clustering and DHCP gleaning, along with our new SaaS-based DHCP listener to quickly and accurately identify all of the devices on your network.
Yes. Portnox Cloud allows customers to leverage our multiple RADIUS servers deployed in different geographic regions of the world. Alternatively, we provide an optional Local RADIUS instance that customers can deploy on-prem or in their private cloud to provide an additional level of redundancy. Portnox Cloud can also be used as a RADIUS proxy for services such as eduroam.
NAC
Portnox supports key aspects of zero trust:
- Identity: Seamless integration with identity providers like Okta and Azure along with our own proprietary directory service
- Endpoints: Continuous risk posture assessment and automated endpoint remediation
- Data: Through the use of the IEEE 802.1X authentication protocol, Portnox protects all data traveling from various platform components to and from the system’s cloud services.
- Network: Access control enforcement across wired, wireless and VPN access layers
- Infrastructure: TACACS+ enables transparent and secure administration of network devices with centralized user authentication.
Portnox provides access control enforcement across wired, wireless, and VPN access layers.
Several unique features give Portnox the edge above other NAC solutions. Specifically continuous risk assessment and remediation allows your IT team to keep unprotected devices quarantined or off the network entirely. Risk posture is continuously evaluated, so any changes to the device are detected and acted upon quickly.
Also our innovative approach to IoT fingerprinting gives you a complete picture of what devices are lurking on your network that you may not be aware of. And finally, our cloud-based, vendor agnostic platform means you will be able to control access for all your devices without leaving anything unprotected because it doesn’t work with a more traditional, vendor-specific solution.
Absolutely! Portnox Cloud integrates directly with 3rd party solutions such as Microsoft's inTune to agentlessly assess the device's compliance state prior to granting the device access to the network. Noncompliant devices can optionally be granted limited access to a quarantine or remediation VLAN where typically access is restricted only to resources necessary to bring the device back into compliance.
Portnox's Cloud API is a RESTful endpoint documented in Swagger. This API is leveraged by customers to automate allows customers to automate routine tasks, such as adding MAC Addresses to a MAB account, Portnox Cloud supports all common CRUD (Create Read Update Delete) for devices, accounts, NASs, and sites.
CAA
Yes! Our Conditional Access for Applications solutions will control access and risk to all your applications no matter where they are hosted.
Thanks to the magic of certificate-based authentication, your device presents a digital certificate as a credential for access to your applications. This happens automatically, without the user having to remember or input anything. Since certificates can’t be copied, phished, or socially engineered, it’s much more secure than a traditional username/password authentication method.
If you choose to use Portnox as your PKI, we do all the hard work for you, including managing the certificate lifecycle.
While MFA is certainly better than passwords alone, hackers are increasingly able to bypass it. MFA fatigue, where an attacker sends tons of push notifications in the hope that someone will tap yes by accident, or social engineering where they convince employees to give them the code, are on the rise. Digital certificates as a replacement for passwords cannot be phished, guessed, or socially engineered.
Portnox's Conditional Access solution works with Windows, macOS, Linux, Android, and iOS.
TACACS+
Each TACACS+ license entitles you to one TACACS+ user and 100 TACACS+ devices. To determine which license size you need, simply count the number of TACACS+ users in your organization who will be accessing TACACS+ capable devices, such as switches, routers, etc. Then multiply that number by 100. If that number is less than the total number of TACACS+ capable devices, than take the total number of TACACS+ devices and divide by 100. This will give you the total number of TACACS+ licenses you will need to cover your environment.
Portnox TACACS is a cloud-based service which is administrated, configured, and managed through our Portnox Cloud SaaS portal. A virtual appliance is downloaded and deployed in one or more locations on your network. This virtual appliance can be deployed on Microsoft Hyper-V, VMware, or any hypervisor which supports the import of OVA or VMDK filetypes, such as Nutanix Acropolis, Citrix XenServer, Oracle VirtualBox, Proxmox, KVM, Parallels, etc.
The TACACS+ protocol standard does not include the source IP address of the originating device in the TACACS+ packet like RADIUS does. This means when a TACACS+ AAA request traverses a NAT device, such as a router or firewall, the originating source IP address in the header is replaced with the IP of the router or firewall that is performing the NAT. This makes it impossible to associate audit events to the specific device in the environment the change was made to, or to have a policy apply only to a subset of devices behind the NAT.
Not at all. TACACS+ is supported by a very wide range of vendors and devices, not just Cisco. Just a few of the vendors that support TACACS+ include Dell, Juniper, F5, Extreme Networks, Brocade, HP/Aruba, Alcatel-Lucent, Adtran, Ciena, AVI Networks, Citrix NetScaler, Ribbon Communications, Samsung, Fortinet, Fujitsu, Huawei, Netgear, Palo Alto Networks, CommScope, and Orolia SecureSync, to name only a few.
While a large number of network equipment vendors support TACACS+, there are a variety of applications, appliances, and operating systems that also support TACACS+. Some examples include Linux, BlueCat Address Manager, InfoBlox, IBM NetCool, Radware APSolute, AppViewX, Oracle Enterprise Session Border Controller, Trendmicro TippingPoint, Avocent Cyclades and many others.
Try Portnox Cloud for Free Today
Gain access to all of Portnox's powerful zero trust access control free capabilities for 30 days!