Access Controls
Initiatives
Capabilities
IntegrationsThe best security investment you'll make.
Unified zero trust access control & security essentials. All from the cloud. No BS.
Volume discounts available for all products.
Product Features
| Features | Network Authentication (RADIUS)Contact Us for Pricing | Network Access Cotnrol (NAC)Contact Us for Pricing | Zero Trust Network Access (ZTNA)Free* | Unified Access Control (UAC)Contact Us for Pricing |
|---|---|---|---|---|
| Authentication Services | ||||
| Wireless, wired, VPN access | ✓ | ✓ | ✓ | |
| Anti-flood protection services | ✓ | ✓ | ✓ | |
| RadSec support | ✓ | ✓ | ✓ | |
| RADIUS forwarding rules (eduroam support) | ✓ | ✓ | ✓ | |
| Role-based authentication | ✓ | ✓ | ✓ | ✓ |
| MAC authentication bypass | ✓ | ✓ | ✓ | |
| Account lifecycle synchronization | ✓ | ✓ | ✓ | ✓ |
| Passwordless authentication | ✓ | ✓ | ✓ | |
| Certificate authority services | $1 / device | ✓ | ✓ | ✓ |
| SAML 2.0 authentication Services | ✓ | ✓ | ||
| OpenID Connect | ✓ | ✓ | ||
| Network & Application Security | ||||
| 802.1X authentication | ✓ | ✓ | ✓ | |
| Dynamic VLAN / ACL assignment | ✓ | ✓ | ✓ | |
| Portnox AgentP | ✓ | ✓ | ✓ | |
| Agentless posture assessment | ✓ | ✓ | ✓ | |
| Continuous endpoint risk & posture assessment | ✓ | ✓ | ✓ | |
| Policy enforcement & automated remediation | ✓ | ✓ | ✓ | |
| Audit tracking & logging | ✓ | ✓ | ✓ | |
| Agentless remote access | ✓ | ✓ | ||
| Split tunneling | ✓ | ✓ | ||
| SSL offloading | ✓ | ✓ | ||
| Digital experience monitoring (DEX) | ✓ | ✓ | ||
| IP geo restrictions to SaaS & hosted applications** | ✓ | ✓ | ||
| Secure SaaS application access (CASB) | ✓ | ✓ | ||
| Secure access to on-prem applications | ✓ | ✓ | ||
| Application specific risk profiles | ✓ | ✓ | ||
| Guest Access | ||||
| Guest accounts | Up to 50 guests per day | Up to 100 guests per day | ||
| Self-onboarding for guests | ✓ | ✓ | ||
| Sponsor-based onboarding | ✓ | ✓ | ||
| SMS-based onboarding | ✓ | ✓ | ||
| Control | ||||
| Role-based access policies | ✓ | ✓ | ✓ | ✓ |
| Location-based policies | ✓ | ✓ | ✓ | ✓ |
| Change of Authorization (CoA) | ✓ | ✓ | ✓ | |
| Device access geo restrictions | ✓ | ✓ | ✓ | |
| Visibility | ||||
| Monitoring-only mode | ✓ | ✓ | ✓ | |
| Archived devices data retention | 14 days | 45 days | 30 days | 60 days |
| Dynamic group assignment per device type | ✓ | ✓ | ✓ | |
| IoT profiling | ✓ | ✓ | ✓ | |
| IoT device trust | ✓ | ✓ | ||
| Intune integration for advanced device properties | ✓ | ✓ | ✓ | |
| Jamf integration for advanced device properties | ✓ | ✓ | ✓ | |
| Crowdstrike integration for advanced device properties | ✓ | ✓ | ✓ | |
| Onboarding | ||||
| Onboarding services | ✓ | ✓ | ✓ | |
| Device provisioning services | ✓ | ✓ | ||
| Certificate enrollment services | ✓ | ✓ | ||
| Reporting | ||||
| Device visibility report | ✓ | ✓ | ✓ | ✓ |
| Security compliance report | ✓ | ✓ | ✓ | |
| Guest utilization report | ✓ | ✓ | ||
| Additional Capabilities | ||||
| RADIUS proxy - local failover | ✓ | ✓ | ✓ | |
| Multi-regional redundancy | ✓ | ✓ | ✓ | |
| TACACS+ / AAA | 1 admin / 100 devices | 2 admin / 200 devices | 1 admin / 100 devices | 3 admin / 300 devices |
| SIEM | On prem/SaaS | On prem/SaaS | On prem/SaaS | On prem/SaaS |
| MFA admin access (w/ SMS) | ✓ | ✓ | ✓ | |
| MFA admin access (w/ Authenticator App) | ✓ | ✓ | ✓ | |
| RESTful API | ✓ | ✓ | ✓ | |
| Entra (Azure) AD/Google Workspace/Active Directory | ✓ | ✓ | ✓ | ✓ |
| Okta | ✓ | ✓ | ✓ | |
| Extended device data retention | Add 30 days - 99¢ / device / year | Each additional 30 days - 99¢ / device / year | Add 30 days - 99¢ / device / year | Each additional 30 days - 99¢ / device / year |
| 24x7x365 Support | Elite Services Customers | Elite Services Customers | Elite Services Customers (With Paid ZTNA Subscription) | Elite Services Customers |
| 24x5 Standard Support | ✓ | ✓ | With Paid ZTNA Subscription | ✓ |
| Community Support | ✓ | ✓ | ✓ | ✓ |
| Add-on Packs | ||||
| Extended guest package (50) | $ | $ | $ | |
| Additional SMS package (1000) | $ | $ | $ | |
| TACACS+ / AAA | $ | $ | $ |
** Application must support restrictions based on IP address or subnet
TACACS+
$200 USD/Admin/Month
| Authentication Services | Authorization Services | Accounting Services |
|---|---|---|
| Azure AD | Privilege Levels | User Identities |
| Google Workspace | Session Timeouts | Start / Stop Times |
| Microsoft AD | Command Restrictions | Executed Commands |
| OKTA | Allowed Services | Packet Transfers |
| Password Encryption | Custom Attributes |
We want our partners to grow their businesses alongside us.
Our partners are an extension of our business. As such, Portnox’s Partner Program offers special pricing and incentives designed to award those partners committed to achieving our shared goal of securing network access for more and more companies around the world.
Don't take our word for it.
"Easy to setup, deploy, manage and support."
Verified User in Financial Services
"Portnox Powerhouse"
Verified User in Manufacturing
"Seamless integration with Microsoft Intune to extend a ZTNA Network"
IT Supervisor
"Vital Piece of the Security Puzzle"
Frequently Asked Questions (FAQs)
General
Subscription terms are available in 12, 24, and 36 months. Additional discounts are available for terms longer than 12 months.
Yes, please contact Sales for information on volume discounts that may be applicable to you and your organization.
Absolutely! Not only is it possible, it is also how most customers deploy Portnox in their environments.
We strive to ensure that you have the absolute best possible onboarding experience, regardless of which package you may purchase. However, some organizations may need some additional assistance or maybe don’t have time to invest in configuring a zero trust access control solution. If you require additional onboarding assistance, please contact our sales department. They can help you determine what is the best onboarding tier for your needs.
Yes. Portnox provides special educational discounts for qualifying K-12 and higher education institutions. Please contact Sales for more information.
Yes. Portnox Cloud RADIUS is deployed globally with high availability and low latency in mind. RADIUS servers are available across multiple continents, ensuring optimal performance and compliance for organizations worldwide.
Server regions include:
- United States
- Europe
- Asia/Pacific
This geographic distribution supports compliance with data residency requirements and delivers high-speed authentication responses regardless of user or device location.
RADIUS
No. Portnox's cloud RADIUS is just that - fully cloud-native, and can be deployed at scale directly through the platform without needing any additional hardware to be installed on-site.
Today, users can integrate Azure Active Directory and Microsoft Active Directory with Portnox RADIUS. The Portnox Cloud also boasts its own proprietary directory should you not currently utilize one of these services.
Relying on the IEEE 802.1X authentication protocol, Portnox RADIUS offers role-based authentication and MAC Authentication Bypass (MAB) as standard authentication options. The solution also offers account lifecycle synchronization out-of-the-box.
Absolutely! Thanks to our innovative IoT fingerprinting, we can identify over 260,000 unique IoT devices across 27,000 different brands with more being added daily. We use a variety of methods including MAC address clustering and DHCP gleaning, along with our new SaaS-based DHCP listener to quickly and accurately identify all of the devices on your network.
Yes. Portnox Cloud allows customers to leverage our multiple RADIUS servers deployed in different geographic regions of the world. Alternatively, we provide an optional Local RADIUS instance that customers can deploy on-prem or in their private cloud to provide an additional level of redundancy. Portnox Cloud can also be used as a RADIUS proxy for services such as eduroam.
NAC
- Identity: Seamless integration with identity providers like Okta and Azure along with our own proprietary directory service
- Endpoints: Continuous risk posture assessment and automated endpoint remediation
- Data: Through the use of the IEEE 802.1X authentication protocol, Portnox protects all data traveling from various platform components to and from the system’s cloud services.
- Network: Access control enforcement across wired, wireless and VPN access layers
- Infrastructure: TACACS+ enables transparent and secure administration of network devices with centralized user authentication.
Portnox provides access control enforcement across wired, wireless, and VPN access layers.
Several unique features give Portnox the edge above other NAC solutions. Specifically continuous risk assessment and remediation allows your IT team to keep unprotected devices quarantined or off the network entirely. Risk posture is continuously evaluated, so any changes to the device are detected and acted upon quickly.
Also our innovative approach to IoT fingerprinting gives you a complete picture of what devices are lurking on your network that you may not be aware of. And finally, our cloud-based, vendor agnostic platform means you will be able to control access for all your devices without leaving anything unprotected because it doesn’t work with a more traditional, vendor-specific solution.
Absolutely! Portnox Cloud integrates directly with 3rd party solutions such as Microsoft's inTune to agentlessly assess the device's compliance state prior to granting the device access to the network. Noncompliant devices can optionally be granted limited access to a quarantine or remediation VLAN where typically access is restricted only to resources necessary to bring the device back into compliance.
Portnox's Cloud API is a RESTful endpoint documented in Swagger. This API is leveraged by customers to automate allows customers to automate routine tasks, such as adding MAC Addresses to a MAB account, Portnox Cloud supports all common CRUD (Create Read Update Delete) for devices, accounts, NASs, and sites.
ZTNA
Portnox ZTNA is cloud-native, passwordless, agentless, and clientless. Unlike VPNs, it doesn’t tunnel traffic or require endpoint software. It enables direct, policy-based access to apps without compromising user experience or security.
In short, no. A paid subscription to Portnox ZTNA is 100% agentless and clientless, which means users can connect securely without installing anything—reducing friction and IT overhead.
If you're interested in the free version of Portnox ZTNA, installation of Portnox’s lightweight endpoint posture assessment tool, AgentP, is required.
Every access attempt is evaluated in real time. Portnox checks device posture (e.g., OS version, endpoint protection, encryption) before granting access. Non-compliant devices are blocked or guided through automated remediation.
Yes. Portnox ZTNA provides secure remote access to cloud and on-prem apps—without the latency, maintenance, or security risks of VPNs.
Yes. It uses certificate-based authentication to eliminate the need for usernames and passwords—protecting users from phishing and credential theft.
TACACS+
Each TACACS+ license entitles you to one TACACS+ user and 100 TACACS+ devices. To determine which license size you need, simply count the number of TACACS+ users in your organization who will be accessing TACACS+ capable devices, such as switches, routers, etc. Then multiply that number by 100. If that number is less than the total number of TACACS+ capable devices, than take the total number of TACACS+ devices and divide by 100. This will give you the total number of TACACS+ licenses you will need to cover your environment.
Portnox TACACS is a cloud-based service which is administrated, configured, and managed through our Portnox Cloud SaaS portal. A virtual appliance is downloaded and deployed in one or more locations on your network. This virtual appliance can be deployed on Microsoft Hyper-V, VMware, or any hypervisor which supports the import of OVA or VMDK filetypes, such as Nutanix Acropolis, Citrix XenServer, Oracle VirtualBox, Proxmox, KVM, Parallels, etc.
The TACACS+ protocol standard does not include the source IP address of the originating device in the TACACS+ packet like RADIUS does. This means when a TACACS+ AAA request traverses a NAT device, such as a router or firewall, the originating source IP address in the header is replaced with the IP of the router or firewall that is performing the NAT. This makes it impossible to associate audit events to the specific device in the environment the change was made to, or to have a policy apply only to a subset of devices behind the NAT.
Not at all. TACACS+ is supported by a very wide range of vendors and devices, not just Cisco. Just a few of the vendors that support TACACS+ include Dell, Juniper, F5, Extreme Networks, Brocade, HP/Aruba, Alcatel-Lucent, Adtran, Ciena, AVI Networks, Citrix NetScaler, Ribbon Communications, Samsung, Fortinet, Fujitsu, Huawei, Netgear, Palo Alto Networks, CommScope, and Orolia SecureSync, to name only a few.
While a large number of network equipment vendors support TACACS+, there are a variety of applications, appliances, and operating systems that also support TACACS+. Some examples include Linux, BlueCat Address Manager, InfoBlox, IBM NetCool, Radware APSolute, AppViewX, Oracle Enterprise Session Border Controller, Trendmicro TippingPoint, Avocent Cyclades and many others.
Try Portnox Cloud for Free Today
Gain access to all of Portnox's powerful zero trust access control free capabilities for 30 days!