When does Portnox Cloud consume a license?

In this topic, you will find information about when Portnox Cloud consumes a license for devices.

In this topic, you will find answers to some common questions about Portnox Cloud licensing.

Network Access Control licensing

When is a device license consumed?

A device license is consumed whenever a new device successfully authenticates to the network.

It is also consumed when a device fails to authenticate and the admin has set an access policy to put the device in a quarantine/remediation VLAN or apply an ACL to it.

Does a device that is denied access consume a license?

  • Yes: If Portnox Cloud places the new device in a restricted VLAN or applies an Access Control List, this device consumes a license.

  • No: If a device is denied access to the network completely, it does not consume a license.

Does a device with multiple network interfaces consume more than one license?

  • Yes: If the device is not managed by AgentP or Intune, Portnox Cloud has no way to recognize that different network interfaces belong to a single physical device, so each interface consumes one license. This could be an Ethernet interface, Wi-Fi interface, docking station Ethernet interface, etc.

  • No: If the device is managed by AgentP or Intune (requires the device ID SAN value), Portnox Cloud recognizes that the network interfaces belong to the same device and no extra licenses are consumed.

    Note:
    To check if the network interfaces are correctly associated with the same Intune-managed device, see this troubleshooting topic: How to check if two network interfaces belong to the same Intune-managed device?.
Where to find accurate information about license consumption?

  • The tile on the Dashboard that says Total devices in organization.

  • In the subscription plan: Help > SUBSCRIPTION PLAN > Maximum number of allowed devices > Total used

  • In the devices.csv spreadsheet: Devices > ACCOUNTS > Export > Export devices.

When are device licenses reclaimed?

Automatic license reclamation works differently depending on the device type:

  • Licenses for MAB devices are reclaimed 90 days after their last network authentication.

  • Licenses for devices with AgentP are reclaimed 90 days after their last communication with Portnox Cloud services.

  • Licenses for agentless devices authenticated via 802.1X are reclaimed 30 days after their last network authentication.

Can I forcibly reclaim device licenses before automatically reclaiming them?

Yes, device licenses can be reclaimed manually by deleting the devices from the devices grid in the UI, using the API, or by deregistering AgentP on the device.

When are NAC captive portal licenses reclaimed?

  • Captive portal licenses are automatically reclaimed every day at midnight.

  • Captive portal licenses can be manually reclaimed by deleting the guest account in Portnox Cloud (Guests screen).

What is the Extra Allowance Percentage used for?

NAC and RADIUS are the only products that include extra allowance. This allowance lets customers use more devices than their purchased entitlements. By default, Portnox gives a 100% extra allowance for both NAC and RADIUS. For example, a customer with a 100-device annual subscription can authenticate up to 200 unique devices each month without being blocked for exceeding their limit.

This extra allowance is designed to give customers the flexibility they need to manage their devices effectively. It allows them to replace old equipment or issue new certificates without service interruptions from reaching their device limits. Customers who exceed their subscription limits but are still within this extra allowance can expect to receive a message from Portnox. They will have the option to buy more device entitlements or remove any unnecessary devices from their Portnox Cloud tenant.

TACACS+ licensing

When is a TACACS+ license consumed?

A TACACS+ license is consumed whenever a new TACACS+ user successfully authenticates to a TACACS+ NAS device.

How can I determine which accounts are using a TACACS+ license?

On the Devices screen, in the left-hand side menu, select ACCOUNT TYPE, and then select Network administrators.

When are TACACS+ licenses reclaimed?

TACACS+ licenses are reclaimed 30 days after the user’s last successful TACACS+ authentication.

Where can I see the last time a user successfully authenticated to a TACACS+ device?

Click on the Network administrator account name on the Devices screen. The right-hand side pane shows the date and time of the user’s last successful TACACS+ authentication and the NAS device they connected to.

Can I forcibly reclaim a TACACS+ license?

Yes. A TACACS+ license can be manually reclaimed by deleting the account that has an assigned TACACS+ license. You can do this on the Devices screen by activating the checkbox next to the account name and then clicking on the Delete button above.

Zero Trust Network Access (ZTNA) licensing

When is a ZTNA license consumed?

A ZTNA license is consumed when a new user successfully authenticates to a ZTNA-protected resource.

When are ZTNA licenses reclaimed?

ZTNA licenses are reclaimed 30 days after a user’s last successful authentication to a ZTNA-protected resource.

How can I determine which accounts use ZTNA licenses?

You cannot currently see which devices use a ZTNA license in the product. You can see the total number of ZTNA licenses used on the summary dashboard. You can see the total number of licensed ZTNA devices under Help > Subscription Plans, shown as Maximum number of Zero Trust Network Access devices.

How can I forcibly reclaim a ZTNA license?

You can manually reclaim a ZTNA license by deleting any device that authenticated to a ZTNA-protected resource in the last 30 days. You can do this on the Devices screen.

Note that deleting the device causes AgentP to remove the certificate from the device and unenroll. The user must manually re-enroll AgentP before they can authenticate to the network (NAC), use MFA (TACACS+), or access a ZTNA-protected resource again.