Troubleshooting typical issues in the Portnox Cloud portal

In this topic, you will learn how to address the most common issues when using the Portnox™ Cloud portal https://clear.portnox.com.

Why does a newly created account, such as a MAC-based or contractor account, not appear in search results on the Devices screen, even though it appears when you scroll through the list?

When the database structure changes, such as in a new release, Portnox Cloud may reindex existing data. This process can take 2–3 days. During this time, some data may not appear in search results. The data is not missing and remains in the database. The search index is only used for searching.

This reindexing does not happen with every release and may start days after a release. Because of the large amount of data, the issue usually resolves on its own within 2–3 days.

If you need a faster fix, you can open a support ticket, requesting support to ask the development team to manually reindex the affected organization. We are also working on improvements to reduce reindexing time.

Why is a MAB device placed in a group but receives an access policy not assigned to that group?

When a MAB device fails authentication because it is not recognized as part of any existing MAC-based account, Portnox Cloud creates a new account for the device and assigns it to the Default group. As a result, the access control policies of the Default group are applied to the device. This behavior is by design and occurs for all devices authenticated using MAB.

On the Devices screen, what do the Last Connected and Last Reported Time columns mean for devices with AgentP, and what is the difference between them?

Last Reported Time shows the last time AgentP sent the device status to Portnox Cloud over the Internet. This can happen when the device connects to any network, such as a home network, a mobile network on a BYOD device, or a guest network on a company device. Last Connected shows the last time the device used AgentP to authenticate to a Wi-Fi or wired network managed by Portnox Cloud. This value applies only to network access and does not apply to ZTNA.

How can you delete or change the activation email for a domain, shown on the Settings > Organization screen, in the Organizational Mail Domains section?

The activation email displayed for each domain does not affect how Portnox Cloud works after activation. It is shown only for informational purposes, so leaving it as is will not cause any issues.

To delete or change the activation email, you cannot edit it directly. You must delete the organizational mail domain and then add it again with the desired email address.

Deleting an organizational mail domain has important effects: all administrators with email addresses from that domain will be removed, and you must add them again manually. Additionally, all Portnox accounts associated with that domain will also be removed and must be re-added after re-adding the domain.

When checking the Device details pane (visible on the righ-hand side of the Devices screen after selecting a device) and the Session details pane (opened from the Alerts screen using the Session details link under an alert), the client device IP addresses listed may be different. Why?

The Client IP Address in Session details is taken directly from the authentication request.

The Public IP in Device details is obtained directly from the device and only for AgentP devices.

These fields can be different if the device uses a VPN. In such case, the Client IP Address shows the IP of the VPN server, and the Public IP shows the device’s public IP as if without the VPN.

Also note that Session details may not contain an IP address because 802.1x authorization occurs before the client even has an IP address:

  1. The client requests access to the network and authorizes using 802.1X (Layer 2).

  2. The authorized client then obtains the IP address (Layer 3), for example, from a DHCP server.

What is the function of the Deactivate button on the Devices screen?

The Deactivate button on the Devices screen works similar to the Deactivate button in the AgentP user interface. It forces AgentP on the device to re-enroll.

  • For an agentless device, the button has no effect.

  • For an AgentP device that is not yet enrolled, it has no effect.

  • For an AgentP device that was manually enrolled, the user will be asked to manually enroll again.

  • For an AgentP device that was auto-enrolled, the device will auto-enroll again.

  • For an AgentP device which is currently not connected to the network or the internet in general, the deactivation process will be pending for 2 days only. If during those 2 days the device does not connect to the internet, the deactivation request will be canceled.

Note:
The deactivated device is not removed from the list of devices, and its network access is not revoked. The device’s network interface remains configured, and the device is able to connect to the network as usual during the deactivation process.