How to onboard IoT devices using MAC-address-based onboarding

In this topic, you will find a suggested process for onboarding IoT devices, when their full inventory is not known.

This topic explains how to use MAC-address-based onboarding to enroll IoT devices (MAC-authenticating devices) into Portnox Cloud when you do not have a complete inventory of these devices. The process is designed to run in two phases: the first phase is defining the accounts, and the second phase is the live enrollment of devices during migration to Portnox Cloud.

Most customers do not have a full list of their IoT devices. To address this, Portnox Cloud provides MAC-address-based onboarding. This feature lets you enroll devices over a specific period, such as during a site migration. Enable this feature just before adding the 802.1X configuration to a switch or access point, and disable it once all IoT devices at the site are accounted for.

When MAC-address-based onboarding is enabled, all IoT devices that connect are automatically enrolled in their own accounts assigned to a single group, which you select using the Assign to the group field. Accounts are generated based on the device’s vendor. The steps below describe best practices for using this feature effectively.

Note:
If you store MAC addresses of all your devices in Intune, an alternative approach is to turn on the Onboard all Intune devices option in the Settings > Services > GENERAL SETTINGS > MAC-address-based onboarding section. All devices will then be added to a single group, which you select using the Assign to the group field.

Phase 1: Identification

This phase is designed to identify your different IoT device types by testing them one single device at a time. Do not connect multiple unknown devices at once. You will connect exactly one example of a specific device type, let the system discover it and generate its account, organize that account, and then finalize it before moving on to test the next device type.

  1. Create and configure the destination group for your discovered devices.
    1. Go to Groups in the top menu and click Add group.
    2. Fill in the Group name (for example, HP Printers).
    3. In the Device global settings section, select the Unlimited checkbox.
    4. Configure wired, wireless, and policy assignments to ensure this group has the necessary network permissions for staging devices.
    5. Click on the Save button.
  2. Click on the Policies option in the top menu.
    1. Create an access control policy for the device type, if needed.
  3. On the Groups screen, in the left-hand side menu, click on the POLICY ASSIGNMENTS option.
    1. If required, make the changes needed to assign the policy above.
    2. Click on the Save button.
  4. Enable MAC-address-based onboarding. In Portnox Cloud, go to Settings > General Settings > MAC-address-based onboarding.
    1. Click on the Edit link.
    2. Activate the Grant access to any device... checkbox.
    3. In the Assign to the group field, select the group that you created in the previous step.
    4. Click on the Save button.
  5. Enable 802.1X/MAB on a switch and at least one switch port.
  6. Note the MAC address of the test device.
  7. Connect the device to the port configured with 802.1X/MAB.
  8. Monitor alerts for account creation.
  9. Click on the Devices option in the top menu and search for the MAC address.
  10. Verify that the account to which the device was assigned is created.
  11. Optional: Edit this account by clicking on the  🗎  icon in the right-hand side pane.
    Note:
    The account created by the previous steps is automatically named after the hardware vendor based on the OUI component of the MAC address. Renaming this account is optional.
    1. Change the Account display name to a value that represents the device type, such as Cisco IP Phones, HP Printers, etc.
    2. Click on the Save account button.
  12. Repeat this entire step-by-step process from the beginning for your next specific device type (connecting only one single test unit at a time).
  13. Disable MAC-address-based onboarding. In Portnox Cloud, go to Settings > General Settings > MAC-address-based onboarding.
    1. Click on the Edit link.
    2. Deactivate the Grant access to any device... checkbox.
    3. Click on the Save button.

Phase 2: Capture

This phase is designed to capture all IoT devices based on the account and group structure defined earlier. All devices of the same type must share the same vendor. This is usually not an issue, but exceptions will be addressed if they occur. This phase happens during a migration or cut-over to Portnox Cloud.

  1. Enable MAC-address-based onboarding. In Portnox Cloud, go to Settings > General Settings > MAC-address-based onboarding.
    1. Click on the Edit link.
    2. Activate the Grant access to any device... checkbox.
    3. In the Assign to the group field, select the Default group. Any devices with vendors that were not discovered before will be added to this group, and you can then manually reassign them to correct groups.
    4. Click on the Save button.
  2. Enable 802.1X/MAB on a switch and at least one switch port.
  3. Monitor alerts for account creation and exceptions.
    1. If an IoT device enrolls and is not assigned to one of the pre-configured accounts, it will be assigned to an account with the vendor name of the MAC address.
    2. Investigate what this device is, and assign it to the proper group or delete the account and add the MAC address to the appropriate account.
  4. When you no longer see any live MAB authentications occurring outside of the expected groups in the alerts, the onboarding is complete.
  5. Disable MAC-address-based onboarding. In Portnox Cloud, go to Settings > General Settings > MAC-address-based onboarding.
    1. Click on the Edit link.
    2. Deactivate the Grant access to any device... checkbox.
    3. Click on the Save button.