Onboard a generic IoT device through self-onboarding
In this topic, you will learn how to onboard generic IoT devices to a network managed by Portnox™ Cloud using the self-onboarding portal.
These generic instructions apply in the following scenario:
- You have an IoT device that you want to connect to your Wi-Fi or wired network managed by Portnox Cloud. This could be a printer, a scanner, a camera, or any other similar device.
- The IoT device supports certificate-based 802.1X (RADIUS) network authentication (EAP-TLS).
- The IoT device’s web interface lets you upload a certificate with a private key in one of the standard formats such as PKCS#12.
- The IoT device does not support SCEP, and therefore cannot request the certificate directly.
To make it possible for you to request certificates for your IoT devices and then upload these certificates to the IoT devices, you must first do the following:
-
Make individual accounts in your authentication repository (for example, Microsoft Entra ID or Google Workspace) for your IoT devices, or create a single account that represents a group of IoT devices. For instance, you can create accounts like camera957@vorlon.com and camera958@vorlon.com, or you can opt for accounts like cameras@vorlon.com or printers@vorlon.com. If you create individual accounts, you’ll have more control over the devices, but it means more effort to request all the certificates.
-
Generate temporary passwords for these accounts and enable the option in your authentication repository that allows you to log in using these accounts as a user. This is a temporary step, only required for requesting the certificates.
-
For each account you’ve created, follow the steps below to request the certificates, and follow the instructions provided by your IoT device manufacturer for uploading and configuring authentication certificates in the device.
-
Once you’ve requested, uploaded, and tested the certificate for a specific device or group of devices, disable user login for that account to enhance its security. No one will be able to log in as the IoT device, but the certificate will still permit the device to access the network, and it will be recognized using the account you created.
Authenticate with the self-onboarding portal and download the certificate
In this section, you will learn how to authenticate with the self-onboarding portal using your corporate identity and then download the certificate for the IoT device.
In the following steps, do not use your personal Portnox or corporate account. Instead, use an account that you either:
Created for the IoT device in one of your authentication repositories
Created for the IoT device in Portnox Cloud (Portnox account) or
Want to create for the IoT device in Portnox Cloud (Portnox account).
-
Enter the URL of the self-onboarding portal in your browser.
To learn how to set up the self-onboarding portal and obtain the URL, see the following topic: Set up the self-onboarding portal.
-
Click on one of the available buttons representing authentication repositories. Then, complete the authorization
process as required by your authentication repository.
Note: The buttons available on this page will depend on the authentication repositories integrated with your Portnox Cloud. It is very likely that your organization will only use one of them. The Corporate email option is available only if you configured the self-onboarding portal to allow end-users to use and create Portnox accounts using the self-onboarding portal.
- In the Select your device’s operating system field, select the Windows option.
-
Click on the Obtain Certificate button to download the certificate.
Optional: Add a password to the certificate’s private key
In this section, you will temporarily import the downloaded certificate and then export it again, adding a password to the private key.
By default, private keys generated by Portnox Cloud and included with certificates have empty passwords. However, some IoT devices do not accept an empty password for the private key, so you need to add a password to the private key to use the certificate with your IoT device. Only follow the instructions in this section if you found out that you cannot upload the certificate’s private key to the IoT device because it has an empty password.
-
Import the downloaded certificate.
-
Export the certificate and the private key, adding a password to the private key.
-
Delete the temporarily imported certificate from your certificate store.
Optional: Download the root CA certificate from Portnox Cloud
In this section, you will download the Portnox™ Cloud root CA certificate from the Cloud portal so that you can upload it to the IoT device.
Some IoT devices ask you to upload a root CA certificate when configuring 802.1X connections. This is necessary so that the IoT device can verify the authenticity of Cloud RADIUS servers, which have certificates signed by this root CA certificate. Only do the steps in this section if your IoT device requires a root CA certificate.
-
In the Cloud portal top menu, click on the Settings option.
-
In the Cloud portal left-hand side menu, click on the
option.
The right-hand pane shows the list of active servers.
- Click on any of the active RADIUS services to show its configuration.
-
Click on the Download root certificate link to download the root CA certificate.
Save the file on your disk to use it later. The default name of the file is rootCertificate.cer.
-
Upload the root CA certificate to your IoT device.
Follow the instructions from the IoT device’s manufacturer.