Portnox v3.3 - Getting Started Guide

GETTING
STARTED GUIDE
Version 3.3
NOTICE OF COPYRIGHT
This user documentation is protected by national legislation and

international copyright treaties. The names access layers® and portnox®,
their logos, names of software products published by access layers and their
logos are registered trademarks.
When they are not registered trademarks, the names of software products
published by access layers are protected by national and international trade
name legislation and by national and international software legislation. The
other cited brand names and registered trademarks are the property of their
respective owners.
No part of this documentation may be reproduced, in any form or by any

means, without prior written permission from access layers except where
otherwise stated in the software license agreement.
access layers will not be held liable for any typographical errors, screenshot
errors or any consequences arising from incorrect use contrary to this
manual.
This user manual is intended exclusively for educating and training

individuals. In no way will it be considered as a contract, agreement
(including sui generis), or an advertising and/or promotional text.
© 2018 access layers inc, USA – All rights reserved

Table of Contents
Introduction ....................................................................................................................................... 4
Where and how to begin? ................................................................................................................ 5
My Network .................................................................................................................................. 6
Preparing the Environment.................................................................................................... 6
Installation Prerequisites ........................................................................................................ 8
Installing Portnox core™............................................................................................................. 9
Initial Configuration .................................................................................................................. 15
Access the portnox web console .......................................................................................... 15
My First Switch ...................................................................................................................... 16
Interact with the Switch ........................................................................................................ 18
Identifying Devices .................................................................................................................... 19
Device Identification Methods............................................................................................. 19
Verify Device Triangulation ................................................................................................ 23
Authentication ............................................................................................................................ 24
Device Authentication Methods .......................................................................................... 24
Define an Authentication Method ...................................................................................... 25
Construct a Security Policy .................................................................................................. 27
Verify Device Authentication .............................................................................................. 28

Define Additional Authentication Methods ...................................................................... 28
Define a Resident Device ...................................................................................................... 31
Defining a Compliance Model ............................................................................................. 33
Enforcement - Define Reaction for the Security Policy .................................................... 35
Configuring Your Alert Email ............................................................................................. 37
Test portnox™ Policy Operation.............................................................................................. 38
How should I continue from here? ............................................................................................... 39

portnox™ v3.3 Getting Started Guide
Introduction
This manual is intended to be a guide for the quick installation and basic configuration of the
portnox system. It is recommended that installation & configuration of portnox on your
networks would be performed by a competent IT professional. portnox is a prolific,
accommodating and flexible software. This manual outlines the steps for quick installation in
order to monitor the representative switch in your network.
This manual will:
• Explain how to install and configure portnox
• Guide you through network access monitoring
• Help you to create and enforce an access policy for legitimate devices
• Explain how to actively address and resolve basic configuration problems
The goal of this manual is to provide you with the required steps to complete a successful
portnox installation and basic configuration. Please keep in mind that portnox has multiple
installation steps, and that this is only the initial step of implementation on your network. Upon
its completion, it is recommended to continue to implement and customize additional functions
of portnox. Please refer to the portnox CORE user manual for more details.
Please note!
Portnox CORE is in transition to a Next Generation user experience and therefore some of the
functionality may only appear in Portnox Classic UI.
Portnox™ 4
Where and how to begin?

The objective of portnox is to ensure that all devices connected to the network are properly
identified, authenticated and comply with company policy.
There are several issues to consider before and during the installation portnox. The following
points will guide you through building your basic implementation plan.
Recommendation:
It is best to start with basic configuration. It should be working in ‘monitoring
mode,’ using standard authentication of IP devices.
Prior to installation, it is advised to outline the tasks associated with the implementation of the
portnox in your network.
Task No. Description
My Network
1
• Decide where to start, and which access layer (network
switch) to address first
2 Prepare the environment for portnox.
3 Installing portnox.
4 Access portnox web console (login).
My First Switch
• Verify that portnox and the switch are communicating.
• Define the first switch.

5
• Define Uplinks.
• Enable the switch.
• Interact with the switch.
Identify devices connected to switch

6 • Define IP Helpers.
• Verify Device Triangulation.
7 Authentication
Portnox™ 5
• Verify device authentication methods.
• Define authentication method.
• Construct a security policy.
• Verify Device Authentication.
Define Additional Authentication Methods

8
• Define a compliance rule.
9 Test the portnox Installation
Subsequent to the completion of the first stage of the implementation, you could repeat
the above steps with additional access layers of your network, and use more of portnox
options.
My Network
Regardless of the size and breadth of your network, it is advised to separate the installation into
several steps. Your network could be a small network, composed of just a few switches and a
router or, a larger enterprise network. It might be a standard LAN, wireless LAN, WAN based
and so on. It could be using public and private cloud (external) services, virtual servers, it could
be VoIP enabled and there could be more than “the eye can see”.
It is best to start with a representative sample of your main network segment, part of a regular
LAN. You can address your backbone or other parts of the network later.
Recommendations:
Choose an insignificant part of the network (i.e. switch) to start installation. (If a mistake is
made, it will have little or no impact on the network.)
Start with one switch on your users' network. (Up to 100 ports would be reasonable starting
point e.g. four switches of 24 ports).
Do not address all of the switches at once!
Preparing the Environment

Prior to installation, the following must be addressed to properly prepare the environment:
portnox should have SNMP access to the switch/s it will be

Accessing the connected to. Configure portnox with the switch SNMP read
switch and write community, yet you may safely start with a read
only (SNMP write is required primarily for enforcement).
Portnox™ 6
Set SNMP traps to be sent over to the portnox server. These are
needed for real time notification of events.
Configure / enable sending traps from the switch to the portnox

Setting SNMP IP address. The most important are the link up and link down
traps events.
After installation, verify that the events are indeed received by

portnox.
Note: An example is detailed in ‘My first switch’ section.
portnox must have read access to any IP helper you’re about to

configure. IP helpers are usually standard routers, firewalls or
Layer 3 switches that can provide a matching IP address with
Accessing IP MAC address (i.e. ARP table output).
Helpers
The portnox server makes use of such helpers to find the
missing piece (IP address) from Layer 2 access switches.
Access Verification to the IP Helper using
Verify that the portnox server is capable of communicating

with ANY IP device it needs to authenticate and verify.
Enable the portnox server IP at the firewall level to initiate at

start in ‘any’ mode. (in case there’s such firewall or access list
Enabling access on the network)
to and from the
portnox server Verify that the portnox IP address is white listed at the IPS
system if found, otherwise it’ll be marked as a risk.
Ensure there are no GPO limitations at the domain level. These

limitations will limit the portnox server from posting a probe
over to a standard win32 device.
portnox is a three-tier software system; it is composed of a database (MSSQL), an application

layer (portnox application), and a presentation layer (IIS web server). Prior to installing
portnox, you should decide where each component should reside and prepare the environment
accordingly.
Provided below are the details of a basic installation with one server only during the initial
phase of the installation. The database or the presentation layer may be separated to different
servers later on.
Portnox™ 7
Installation Prerequisites
Be sure that you have these technical aspects:
portnox Server
Windows 2012 or Windows 2012 R2
Or
Windows 2016 (Please note prerequsists for OS installation)
Hardware or Virtual Machine:
At least 4 CPUs Dual core Xeon 3.x GHz or equivalent (one

core for each 60 switches)
Min of 4GB RAM
72 GB of disk space (recommended raid 5)
Additional considerations:
The server must have a static IP address.
In the case when only one main Microsoft domain is available,

consider adding the server as a standard domain member.
Portnox™ 8
Installing Portnox core™

Insert the portnox installation CD or mount the downloaded ISO file.
1. Click the setup.exe file. The setup preparation dialog will appear:
Note: Prior to installing the portnox server, the portnox installation process will attempt to install any missing
component that is required for its operation
Click “Install” and wait for all componenets to be installed.
Choose “Yes” for every specific components requires approval.
After all components are installed, Portnox installation is preparing
2. Portnox software is now ready to be installed.
Portnox™ 9
3. Click next, the following dialog will appear:
4. Choose new installation. The License Agreement dialog will appear:
Portnox™ 10
5. Accept the license agreement and click next. The Setup Type dialog will appear:
Portnox™ 11
6. Choose complete setup and click next.
7. Type and then retype the password for your portnox admin user. You will use this user
ID and the password later on to access the portnox web console.
Portnox™ 12
8. Click next, and the Site Information dialog will appear:
9. In the all-in-one server installation, keep all of the default settings, and click next.
Portnox™ 13
10. Click next. Please wait for the portnox setup to complete its task.
This process will take a few more minutes.
11. Upon the completion of the portnox installation, restart the server. Following the restart of
your computer, all portnox services should be running.
Note: In addition to the portnox main application, several dedicated utilities will be installed to later assist you
with the implementation process.
Desktop Utilities
portnox Web Console – It enables access to the portnox web management interface. (Additional
functionalities of the portnox Web Console are detailed in The portnox User Guide).
portnox Monitor – It monitors and controls all the portnox services. (Additional functionalities
of the portnox monitor are detailed in the portnox User Guide).
OS Fingerprint – It enables you to define signatures for special devices. (For more information on
the OS Fingerprint utility, refer to the portnox User Guide)
Deployment Helper – It assists in the deployment and the management of the portnox
application as well as the managed assets such as - switches, ports and other devices. (The
deployment helper will be addressed in this guide later on).
Portnox™ 14
Initial Configuration
Now that you have completed the installation of portnox, it is time for configuration.
Access the portnox web console

The portnox management console is accessible through web browser.
The portnox login URL: http://%servername%:8756/portnox/
• Replace %servername% with the IP address or hostname of the server that portnox is
installed on
Note: The management console port that was set during installation might be different than the one mentioned
above. If you chose and accept the defaults during the installation, the port number should be: 8756.
Use the portnoxadmin user name and the password you have set during installation, and click
“login”.
Once you have logged in, a clean dashboard will appear. Portnox will not show or act prior to the
configuration of network elements.
The next step will be to configure your first switch.
Portnox™ 15
My First Switch
First step is to configure a switch under Network menu
Recommendation:
Review Appendix 1 for verification of switch communication and that portnox receives trap events from the
switch prior to defining the switch.
Information you should have:
• Switch management IP address
• SNMP community strings (if available)
• Switch vendor/model (optional)
• Switch console/terminal access credentials (optional)
• Switch interconnect mode (stack, backbone, etc.) (optional)
Define the First Switch

Information required for successfully completing this stage:
• The port numbers used as uplinks to other switches, (Ex. ports 01 & 24).
Note: For a successful implementation, it is MANDATORY to identify all uplinks defined on the switch.
Portnox use AI logic to automatically identify uplink ports but it is important to monitor it closely on the first few
switches added to a new deployment.
Failing to do so will result in errors (mainly, duplicate MAC addresses). This item is discussed in further details in
the ‘Define Uplinks’ section.
To define a switch, go to Network in the bar at the top of the page and do the following:
1. Click the button -> add entity page appears in the Network page.
2. Enter the required data in the add entity dialog:
Type Use: Switch
Portnox™ 16
Hive At this stage you should use the predefined hive: Entire network
IP Switch management IP address.
Monitoring Status Make sure it is marked ‘On’
Note: There are additional and more advanced configuration options available however, those are not covered in
this document.
Press + SNMP
The switch SNMP settings pane expands.
Enter Switch SNMP Read and Write community values
3. Click Save & Close.
At this stage the switch has been defined and added to Portnox.
In case you encounter errors in this stage, this might suggest switch compatabiity issues –
please refer to portox support web site for further documentation or support ticket.
Define Uplinks
Identifying uplinks in your environment is crucial for the success of the portnox installation.
This step determines which port at the switch will be used to connect to other switches. At this
step, define this port accordingly.
In most cases Portnox will automatically identify uplinks and you can skip this step.
It is important to view the presentation of the switch and locate any multiple devices port.
Review each port within to determine which ports need to be defined as uplinks.
To manually define uplinks you should review switch in NAS VIEW.
1. Select the switch port want to define as uplink.
2. Click ‘More Port Details’.
3. Check the uplink ‘On’ button.
4. Click save and close.
Note: For additional settings that can be defined for each port please refer to the User Manual.
Portnox™ 17
Interact with the Switch

Once the switch is configured, you can view its details, status as well as interact with it from
portnox nas view page.
To interact with the switch, navigate to the NAS VIEW page under the NAS menu, and complete
the following:
1. The switch details and all its ports are displayed enabling a view of their status.
2. Since no IP helpers have been defined yet, most ports will be displayed as active and
invalid and be highlighted in red.
3. Clicking on a specific port will open the Port Details pane and if a device is connected on
that port it will also open the Device Details pane
4. Right-click on any port to see the options available. Click ‘disable’ on unused ports. Verify
that the port color turns gray (this indicates the operation was successful).
Note: Disable / Enable / Set VLAN commands and administrative tasks are available at the GUI level, but will be
successfully executed only if the switch SNMP write access is supplied.
Portnox™ 18
Identifying Devices
In order to interact with a device, portnox must have the following three elements:
• The port on the switch
• The device MAC address
• The device IP address
When portnox server is physically connected to a standard Layer 2 switch, it gains information
about all the ports from the switch and MAC addresses of the devices connected to it. The
portnox application attempts to match every port and MAC address to a corresponding IP
address. This can be accomplished using one or both of the identification methods described
below.
Device Identification Methods

The layer 3 based IP helper is the recommended way of operation, unless there is a known
network or a security limitation.
Recommendations:
• Using the Deployment Helper, perform an inspection and validation for the chosen IP
Helper .
• Access the Deployment Helper tool and select the IP helper tab for TELNET/SSH based
devices or SNMP tab for SNMP based devices tab:
Portnox™ 19
Note: If all IP helpers are similar, there is no need to switch over to the deployment helper for validation. You
can submit the configuration directly at the web console level.
Using an "IP Helper” (this term has nothing to do with DHCP): An “IP Helper” is a layer 3
device that best represents devices on their associated VLAN. For example, a default
gateway router would best represent the workstation VLAN; a PBX server would best
represent IP phones network devices; and a print spooler would best represent the printer
network. You could also consider using a standard layer 3 switch, a firewall, etc.
• The IP address and access credentials of the IP helpers you wish to use.
portnox will connect the IP helpers to receive the local ARP table, using a supported CLI
(Command Line Interface) Protocol; SSH, TELNET or SNMP.
Example: An ARP command IP -MAC address coupling by a regular user (not admin / root):
Portnox™ 20
Define IP Helper Verification Process

It is recommended to use SNMP to connect to the IP Helper – if not, other methods are acceptable.
Information you should have ready for each IP helper definition:
Name The IP Helper name or identifier.
IP The address of the IP Helper.
Transport type The method used to connect the IP Helper - SNMP, SSH or TELNET.
For SNMP transport:
SNMP Community value required for accessing the ARP agent

SNMP read
device.
For SSH Transport:
Username The username used for authentication.
Password The password used for authentication.
Private key Optional: a private key for two factor authentication.
ARP table The command required to retrieve the ARP table from the ARP agent.
command
Optional: a prompt during an authentication process which indicates
Prompt
that the device is ready to receive the next command.
Optional: a command and its supported password required to gain

Privileged mode
privileged access.
Note: Additional (advanced) settings for each IP helper are not covered within this document.
Finally, to define an IP helper for use, go to Network in the bar at the top of the page and do the
following:
1. Click the button -> add entity page appears in the Network page.
2. Choose Type “IP Helper”
Portnox™ 21
3. Enter the required data in the add entity dialog:
Type Use: IP Helper
Name Name of IP Helper to help you easily identify it
IP Address IP Helper IP address
Monitoring Status Make sure it is marked ‘On’
Note: There are additional and more advanced configuration options available however, those are not covered in
this document.
Press + TRANSPORT
The SNMP settings pane expands.
Enter IP Helper SNMP Read community values
4. Click Save & Close.
5. To define another IP Helper, repeat steps 1 - 5.
Portnox™ 22
Verify Device Triangulation

Following the configuration of the switch and its ports, portnox will identify all connected
devices and populate the portnox management database with their IP addresses.
It is recommended to verify the device information.
This can be accomplished through the following steps:
1. Navigate to the NAS VIEW page under the NAS menu.

The defined switch will be displayed.
2. Click on any of the ports that are not colored black or defined as uplink.
o Each port and device details are displayed.
3. Verify that the devices all have their basic information displayed: MAC address, IP
address and a network name (optional).
Note: If an IP address is missing, the port will be displayed as ‘missing IP’. To resolve a ‘missing IP’, validate
your settings and assure there is connectivity to the IP Helper (as previously defined).
Note: A missing IP may also be related to an additional VLAN found on the switch that the IP helper does not
display. (ex. static IP addresses with no default route, APIPA address, etc.)
Portnox™ 23
Authentication
Upon the completion of the portnox identification for connected devices, each device will need
to be authenticated. There are several authentication methods to service groups of devices or
ports.
Device Authentication Methods

• Windows domain based authentication – portnox verifies the device as an authenticated
domain member. This should be the preferred method for authenticating most of the
standard windows workstations on your network.
• SNMP based authentication – portnox verifies the device using a SNMP community and
object identifier. This should be the preferred method for authenticating printers and
network devices on your network.
• SSH based authentication – portnox verifies the device over SSH transport. This should
be the preferred method for authenticating UNIX and Linux based machines on your
network.
In addition to the above examples of authentication methods, portnox supports several more
unique cases:
• Resident – There might be some exceptional devices on your network that can't be
authenticated with the above methods (ex. IP coffee machine, time attendance device, etc).
In such cases, you can define the device as a resident. This definition allows portnox to
lock the device’s MAC address with the port or VLAN it is connected to, requiring no
additional information for authentication (besides the device’s MAC address).
• Rex – There are devices and/or ports that portnox should monitor and audit, but never
block. These might be devices with high access value, such as firewalls or laptops used by
administrators. Such devices can be marked as rex. portnox will not apply any security
policies to these devices. It is also possible to mark a port as a rex port and portnox will
not apply any security policy to such ports.
Recommendations:
• The usage of the advanced options (domain, SNMP, SSH, etc.) is always the preferred
method of authentication. The use of a weaker option, such as residents (MAC address) is
acceptable only in cases where there is no other option available.
Ex. Enabling the SNMP daemon on a printer will aid in avoiding the use of MAC based
authentication for that device.
Portnox™ 24
• A list of device types and their preferred method of authentication. The table below
illustrates a few examples:
Device type Authentication type
Workstations win32 domain
Printers SNMP
FW Rex
Unix server SSH
Note: There are 20 different authentication options for use with portnox. Please review the portnox user guide for
more information.
Define an Authentication Method

This section describes only the most common authentication methods: Windows domain,
SNMP and SSH. These, more than likely cover the majority of the devices on your network.
To define an authentication method, please follow these steps:
1. Navigate to the Security menu -> BUILDING BLOCKS -> Authentications page.
2. Click the button -> add new authentication page appears
3. Choose Type “MS domain”.
4. Enter the required data in the add new authentication dialog
Portnox™ 25
Name of this domain authentication instance. For

Name
example: OfficeDomainAuth
Type Select: MS domain
User account with the base privileges to post WMI queries

User, Password
(i.e. workstation administrator)
netbios Short domain name for provided FQDN
Fully qualified domain name with a minimum of local

FQDN
admin privileges on local workstation.
5. Leave all other options with their defaults;
6. Click Save & Close. (to add this method to the list of authentication methods).
Note: Prior to adding additional authentication methods, verify that recently defined method works properly. To
do so, configure a basic security policy.
Portnox™ 26
Construct a Security Policy

portnox supports a prolific and flexible security policy. The policy can combine different rules
to encompass the whole network, selected parts of the network, or even a single device or port.
The policy includes multiple authentication methods for applicable locations, as well as the
actions to be taken when an event is triggered.
This basic security policy will monitor and send an email if an alert is triggered. It will not
however, initiate or perform enforcement of any kind (i.e. block, disable etc.).
portnox implements security policies by using ‘rule sets,’ which are combinations of various
authentication rules, events and actions. When there are several rules in a ‘rule set’, the device
has to "pass" at least one of them to be authenticated.
Define a Security Rule

To create a security rule in the security policy:
1. Navigate to the Security menu -> POLICY -> Access Rules page.
2. Click the button -> add new rule page appears
3. In the auth Method select the authentication method as previously defined.
4. Click Save & Close. (to add this rule to the effective policy).
Portnox™ 27
5. You will notice a message that policy was loaded successfully
Verify Device Authentication

You can now verify the authentication method you have defined at the beginning of this step:
1. Access the nas view page in the nas tab.
2. Navigate to the NAS VIEW page under the NAS menu and select the switch on which the
device is connected
3. Click on the device port to expand the view - port and device details are displayed
4. Reflecting ports of the devices that are now authenticated by the ms domain, should be
green (status: authenticated).
The ports of the devices that are not authenticated by the ms domain should be red, indicating a
rogue device alert.
Define Additional Authentication Methods

To define additional authentication methods:
1. Navigate to the Security menu -> BUILDING BLOCKS -> Authentications page.
2. Click the button -> add new authentication page appears
3. To add a SNMP based authentication:
In the add new dialog, enter the following:
Nameof this SNMP authentication profile. (i.e.

Name
printersAuth)
Type Select: SNMP
SNMP Read Community string required for accessing the device.
Get OID SNMP object identifier
SNMP wildcard expression which must comply with

the results of the ‘get oid’ command. The result is not
Expected Result case sensitive.
If more than one result is desired, it can be specified
separated with a semicolon. (ie. *phaser*; *Xerox*)
Click Save & Close to add this method to the list of authentication methods.
4. To add SSH based authentication:
In the add new dialog enter the following information:
Portnox™ 28
Name Name of this SSH Instance. (i.e. unixSSHAuth)
Type Select: SSH
User, Password Basic authentication parameters.
Port Type SSH port number. e.g. 22
Leave all other entries with their default;
5. Click Save & Close to add this method to the list of authentication methods.
Update the Security Policy

To update the previously defined security policy, you must create a new security rule to include
the SNMP and SSH based authentication that was just defined.
To update the security policy:
1. Navigate to the Security menu -> POLICY -> Access Rules page.
2. Click the button -> add new rule page appears
3. In the auth Method select the authentication method as previously defined.
Verify Device Authentication

To verify the authentication methods you have defined:
device is connected
Portnox™ 29
2. Click on the device port to expand the view - port and device details are displayed
3. Reflecting ports of the devices that are now authenticated by the SNMP and SSH
authentication methods. should be green (status: authenticated).
Portnox™ 30
Define a Resident Device

During the implementation process, there might be several devices that you would wish to
authenticate based only on its mac-address or at another time. To avoid "rogue" events with
these devices, you can define them as a resident (either temporarily or permanently).
Resident devices are part of a resident group. Resident groups are locked to a specific switch-
port / vlan / hive / location / block list (automatically blocked – blacklist)
To configure a device to be resident, first you create the relevant resident group (unless using
an existin one):
1. Navigate to the Security menu -> WHITE LISTS -> Resident page.
2. Click the button -> add new resident page appears
Portnox™ 31
3. Fill the required details fore resident group: Name, Lock to (e.g. vlan), specific
vlan/hive/location .
optionaly you can also select devices here or later from nas-view as explained below.
4. Click Save & Close. (to create resident group).
5. Assign a device to resident group : Navigate to the NAS VIEW page under the NAS menu
and select the switch on which the device is connected
6. Click on the device port to expand the view - port and device details are displayed.
7. Click on to open device action menu
8. select ‘Set Resident’ and choose the resident group you have created.
9. Device is now assigned to resident group and authentication is revalidated accordingly.
As the basic authentication methods have now been defined and verified, compliance rules
must go through the same process.
Portnox™ 32
Defining a Compliance Model

One of portnox’s important features is the compliance verification of the devices on the network.
portnox supports a wide variety of applications and platforms that can be inspected for their
compliance level. The following step outlines a compliance check for a simple security rule.
To define a compliance policy:
1. Navigate to the Security menu -> POLICY -> Compliance page.
2. Click the button -> add new security model page appears
3. Enter Name for compliance rule
4. In the Products to check select the product to verify with compliance check.
you can also choose specific Failure event and what Action to trigger.
Portnox™ 33
Note: The new compliance model defined above should be used in a policy rule along with a windows
authentication scheme and will apply only to windows hosts
Portnox™ 34
Enforcement - Define Reaction for the Security Policy

In order to configure enforcement actions you need to define reactions policy.
1. Navigate to the Security menu -> POLICY -> Reactions page.

At this stage, portnox has a default action defined. It now needs to be modified
2. Click the button to edit existing rule or click the button to create new rule ->
add new reaction page appears
3. Select Hive / Vlans / Locations and Event to trigger this reaction rule.
e.g. make sure it includes events: unauthorized hub and rogue device
4. In the same dialog, check the email checkbox and configure email address for alerts.
Portnox™ 35
Portnox™ 36
Configuring Your Alert Email

Security alerts are emailed to the appropriate parties, so it is important to configure your email
details. You can also configure SYSLOG server here to allow sending syslog alerts for events.
1. Access Settings page from the Settings toolbar icon ti enable viewing and defining
various Portnox CORE global settings.
2. Click on Alerts to configure specific server details
3. Enter the following details:
SMTP server The SMTP server address that alerts will be sent.
The email address to which the alerts will be sent. (It is possible to specify
To
more than one email address to be separated by semicolon).
From The address from which the alerts email will be sent from.
Syslog server IP address of a syslog server to which events will be sent (optional).
4. Click Save.
Portnox™ 37
Test portnox™ Policy Operation

At this point in the Getting Started Guide, your portnox system should be working and
monitoring the part of your network you configured. You can now view the status of the
switch, the devices connected to it and the corresponding alerts, if security event takes place.
To view the status of your network:
device is connected
2. Run the following tests:
Test Security Event
Connect a device you know will not match any Rogue event to the device connected.
of the authentication profiles configured.
Enable an additional network adapter on a Does not comply event with the device.
workstation (ex. Wireless or Bluetooth
interface)
Unset the resident group – set the resident Not authenticated event to the device.
device to the ‘none’ group.
Portnox™ 38
How should I continue from here?

Following the first stage of the portnox implementation, you can map the rest of the network
and add functions as desired. It is recommended to begin with the system configured for
‘monitor mode’ (default mode) and later apply more advanced options (i.e. ‘enforce mode’).
While adding more sections of the network, the more advanced features of portnox can be used
as in the previous parts, being implemented in the monitor mode.
Refer to the portnox User Guide for additional information.
A recommended roadmap for implementation:
• Define your network – To ease the ongoing use of portnox, it is recommended to

represent your network properly. After initial installation and implementation, an ‘all
network’ hive1 will be defined. Continue by defining the rest of the network’s hives that
will best represent your network.
• Define locations and device groups – portnox contains several verifications,

authentications and other action options that are best implemented on groups, device
groups or port groups (locations). It is advisable to be sure to prepare in advance your
grouping definitions, so that they may be used later within portnox.
• Define your security policy.
• Prepare an implementation plan – To add all network elements to portnox. Remember:

Do not add them all at once. Complete configuring added items before continuing to the
next group. This will ensure that you will not be overloaded with events.
• Follow portnox deployment guide
1Network hive stands for a logical group of network elements. Using hives will allow you to
implement hierarchal structure of your network elements
Portnox™ 39
Appendix 1 - Verification of Communication

Adding a switch to Portnox is simple, here is an explaination of the overall information and
configuration required so that one can understand the underline communication and
technology.
You will need to verify that portnox is communicating and receiving events from a switch, and
then verify that the SNMP traps on the switch have been configured. If not, it is recommended
to configure SNMP traps.
The following example is based on the Cisco Catalyst 2960 switch that operates in SNMP v2
mode. The following is designed to operate on most Cisco access switches, yet your use may
vary. For other switch vendors, check the documentation for the execution of a similar
command set.
Example for Cisco Catalyst 2960
Configure the SNMP server on the switch.

This will enable the portnox server to interact
snmp-server community portnox
by SNMP. You should set the SNMP
RW
community string appropriately for your
network (i.e. portnox, doofenshmirtz)
snmp-server enable traps SNMP Configure SNMP traps to be sent from the
linkdown linkup switch for linkup and down events.
snmp-server host <server IP Set the portnox server IP address in which
address> portnox snmp traps are sent. Again, set the community
string (for example portnox)
snmp ifindex persist Inform the switch to maintain a consistent
SNMP index.
Verify that the portnox server is receiving those traps by performing the following:
1. Click the portnox monitor on the server desktop.
Portnox™ 40
2. Locate the Event Information tab (you will see all the events that are received by portnox).
Portnox™ 41
3. Attach a device to the switch and verify you receive a "link up" event.
Note: In some cases where spanning-tree is configured at the switch level and no port-fast is configured; it may
take few seconds to receive a trap message.
Portnox™ 42

Portnox v3.3 - Getting Started Guide

Uploaded by

Copyright:

Available Formats

Portnox v3.3 - Getting Started Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Portnox v3.3 - Getting Started Guide

Uploaded by

Copyright:

Available Formats

GETTING

This user documentation is protected by national legislation and

No part of this documentation may be reproduced, in any form or by any

This user manual is intended exclusively for educating and training

© 2018 access layers inc, USA – All rights reserved

Where and how to begin? ................................................................................................................ 5

Preparing the Environment.................................................................................................... 6

Installation Prerequisites ........................................................................................................ 8

Installing Portnox core™............................................................................................................. 9

Initial Configuration .................................................................................................................. 15

Access the portnox web console .......................................................................................... 15

My First Switch ...................................................................................................................... 16

Interact with the Switch ........................................................................................................ 18

Identifying Devices .................................................................................................................... 19

Device Identification Methods............................................................................................. 19

Verify Device Triangulation ................................................................................................ 23

Device Authentication Methods .......................................................................................... 24

Define an Authentication Method ...................................................................................... 25

Construct a Security Policy .................................................................................................. 27

Verify Device Authentication .............................................................................................. 28

Define a Resident Device ...................................................................................................... 31

Defining a Compliance Model ............................................................................................. 33

Enforcement - Define Reaction for the Security Policy .................................................... 35

Configuring Your Alert Email ............................................................................................. 37

Test portnox™ Policy Operation.............................................................................................. 38

How should I continue from here? ............................................................................................... 39

This manual will:

• Explain how to install and configure portnox

• Guide you through network access monitoring

• Explain how to actively address and resolve basic configuration problems

Where and how to begin?

Task No. Description

2 Prepare the environment for portnox.

4 Access portnox web console (login).

• Verify that portnox and the switch are communicating.

• Define the first switch.

• Enable the switch.

• Interact with the switch.

Identify devices connected to switch

• Verify Device Triangulation.

• Verify device authentication methods.

• Define authentication method.

• Construct a security policy.

• Verify Device Authentication.

Define Additional Authentication Methods

9 Test the portnox Installation

Do not address all of the switches at once!

Preparing the Environment

portnox should have SNMP access to the switch/s it will be

Configure / enable sending traps from the switch to the portnox

After installation, verify that the events are indeed received by

Note: An example is detailed in ‘My first switch’ section.

portnox must have read access to any IP helper you’re about to

Access Verification to the IP Helper using

Verify that the portnox server is capable of communicating

Enable the portnox server IP at the firewall level to initiate at

Ensure there are no GPO limitations at the domain level. These

portnox is a three-tier software system; it is composed of a database (MSSQL), an application

Windows 2016 (Please note prerequsists for OS installation)

Hardware or Virtual Machine: