QUICK START GUIDE
Portnox CLEAR
Quick Start Guide
clearsupport@portnox.com www.portnox.com
� QUICK START GUIDE
What is Portnox CLEAR?
Portnox CLEAR is a cloud-delivered network access control solution providing
actionable network visibility and risk management of endpoints in any location,
on or off campus. CLEAR delivers continuous risk monitoring of all endpoints –
IoT, BYOD and managed devices, across wired, wireless and virtual networks.
As a cloud-delivered solution, CLEAR is always running the most updated
version with the latest features and capabilities. The solution authenticates
devices by various repositories and goes deep into the security posture of the
endpoint. The network access is granted based on user/device’s identity or
certificate, as well as a device’s risk profile.
clearsupport@portnox.com 2 www.portnox.com
� QUICK START GUIDE
How Portnox CLEAR Works
Initial account setup for the enterprise is done online within a few
1 minutes and then any endpoint, in any location is on-boarded to
the Portnox CLEAR account by using a corporate email or a
domain directory* identity (on-prem Active Directory, Azure AD,
G Suite or Okta UD).
Each account is assigned to a group based on company policies.
2 CLEAR’s groups define which networks (Wireless, Wired, VPN) the
account (and its devices) has access to, and from here on out
CLEAR will automatically keep track and manage all associated
identities.
The CLEAR engine assigns the following policies:
3
Access Control Policy: Allow / Deny Access or assign VLAN /
ACL upon successful authentication, authentication failure,
risk policy violation and blocking by Admin
Risk Assessment and Remediation Policies: requires a
lightweight AgentP on endpoints. Supported with OS X,
Windows, Linux, iOS and Android
All authentication, authorization and enforcement events are
4 immediately reflected by the real-time Alerts
*Open LDAP is supported as well
clearsupport@portnox.com 3 www.portnox.com
� QUICK START GUIDE
Portnox CLEAR Architecture
clearsupport@portnox.com 4 www.portnox.com
� QUICK START GUIDE
Setting Up Portnox CLEAR
Follow these seven steps to configure, enable and start gaining the
continuous device monitoring and access control values of CLEAR.
Should you encounter any problems or have questions, we are available to
help, just drop us an email to clearsupport@portnox.com.
Create Your CLEAR account
1
Navigate to https://clear.portnox.com/ and click Sign Up
Submit your information in the Registration page. When
providing an email address, provide one with the same email
domain as that of the users who will be registering for the
service. No public email addresses are allowed, such as
@gmail.com, @hotmail.com, etc.
You will receive back a Welcome email. Click the activation
link in the email.
In addition, we support sing up by SSO using G Suite or
Azure Directory identity
clearsupport@portnox.com 5 www.portnox.com
� QUICK START GUIDE
Configure RADIUS for CLEAR Access Control
2
CLEAR supports RADIUS access controls across wireless, wired
and VPN. To enable RADIUS access controls, go to Settings >
Services and expand CLEAR RADIUS Service. Then:
Hit Create new CLEAR RADIUS instance, chose the Radius
instance according to your geo-location, press Create
Note the RADIUS server details which you will need when
configuring your RADIUS clients, devices and equipment in
Steps 4a, 4b, 4c and/or 7.
clearsupport@portnox.com 6 www.portnox.com
� QUICK START GUIDE
Directory Integration as Authentication Repository
3
Directory Integration is reuiredfor:
!
Network Authentication by Directory Identities
Endpoints on-boarding via AgentP enrollment or Agelessness Self-
Onboarding
Directory Identities mapping for Policies assignment Network
Access restriction
To enable your site for Portnox Directory integration, simply refer to
the guides below:
On-prem or Azure AD:
https://portnox.box.com/v/adbroker
G Suite Directory:
https://portnox.app.box.com/v/GSUITECLEARIntegration
Okta Universal Directory:
https://portnox.box.com/v/OKTADirectoryCLEARIntegration
Configure the Network Access Layers That Will Use CLEAR
4
CLEAR supports all your network access layers. Follow the steps
below for those access layers you want to support with CLEAR.
CLEAR for Wireless Access Control
4a.
Perform the following for every WiFi network you plan to protect with
CLEAR:
Navigate in the portal to Groups. Edit the Default group or create
new security groups (Step 5). Whether you are creating or editing a
group, in Group Settings > 802.1X WIRELESS NETWORK
ACCESS, click Add WiFi network and specify:
clearsupport@portnox.com 7 www.portnox.com
� QUICK START GUIDE
CLEAR for Wireless Access Control (Continued)
4a.
The SSID of the network you wish to secure.
The allowed authentication type(s)
The Device requirement: Agent-based & Agentless, Agent-based only or
Agentless only
Expand “ADVANCED CONFIGURATION (DEVICE
PROVISIONING)” to select the desired authentication type for devices’
provisioning. Note: a single Certificate authentication selection allows EAP-
TLS provisioning only. Device provisioning is irrelevant for MAC Based
Authentication type
Click Save
Configure your WLAN to use CLEAR’s RADIUS server – whose
details you noted down in Step 2 – for device authentication. See
the Knowledge Base in the Portnox support site for a Wi-Fi
configuration example.
clearsupport@portnox.com 8 www.portnox.com
� QUICK START GUIDE
CLEAR for Wired Access Control
4b.
Navigate in the portal to Groups. Edit the Default group or
create new security groups (Step 5). Whether you are creating
or editing a group, in Group Settings > 802.1X WIRED
NETWORK ACCESS and specify:
The allowed auhentication type(s)
The Device requirement: Agent-based &
Agentless, Agent-based only or Agentless only
Expand “ADVANCED CONFIGURATION (DEVICE
PROVISIONING)” to select the desired authentication type for devices’
provisioning.
Note: device provisioning for wired connection is applicable for OSX and
Linux operating systems only
Click Save
CLEAR for VPN Access Control
4c.
Navigate in the portal to Groups. Edit the Default group or create
new security groups (Step 5). Whether you are creating or editing a
group, in Group Settings check the Enable VPN access for
devices in this group checkbox.
clearsupport@portnox.com 9 www.portnox.com
� QUICK START GUIDE
CLEAR for VPN Access Control (Continued)
4c.
Select the Allowed Authentication Type(s)
Set the desired Multi-factor authentication type:
None – Portnox CLEAR does not provide Strong authentication; it is up
to the organization to provide this
Push-To-Access – Push notifications to AgentP device for user to
approve connection.
All Devices – Local AgentP authorizes VPN connection of the client
Mobile only – External AgentP app on iOS or Android devices
authorizes VPN access for computers
Define RADIUS authentication on your VPN gateway using the
CLEAR RADIUS server details you noted down in Step 2. See the
Knowledge Base in the Portnox support site for a VPN Gateway
configuration example.
clearsupport@portnox.com 10 www.portnox.com
� QUICK START GUIDE
Define CLEAR Security Groups (Optional)
5
Assign end-users to groups either manually - CLEAR / Contractors or MAC-
based accounts - or by mapping the Directory (on-prem Active Directory,
Azure AD, G Suite or Okta UD) groups to CLEAR security groups. If this is an
on-prem Active Directory, you must deploy the Portnox™ Active Directory
Broker (Step 3) if you haven’t done so already. Note that automatic agentless
accounts onboarding upon successful authentication requires checking the
“Enable automatic LDAP-based device onboarding” box at Group Settings >
Automatic Device Onboarding
Assign to security groups the access control, risk and remediation policies you
define in the portal's Policies page.
On-Board Users / Devices
6
Portnox CLEAR supports several methods of on-boarding
devices/users depending on your need and the type of device
(user, IoT). Follow the steps below based on your specific need
and environment.
Portnox AgentP Enrollment
6a.
For corporate and BYOD devices, AgentP enrollment supports the most
feature-rich use of CLEAR, including continuous risk monitoring, risk-based
access controls, remediation, certificates distribution (for credentials-free
authentications) and automated credential management.
Download the AgentP that corresponds to the device’s OS:
iOS (iPhone and iPad) – Search for the Portnox AgentP App on App Store, or
click the link: https://itunes.apple.com/us/app/portnox-agentp/id861819015?
mt=8
Android – Search for the Portnox AgentP App on Google Play, or click the link:
https://play.google.com/store/apps/details?id=com.portnox.agentp&hl=en
Windows, OS X and Linux – Click the link:
https://clear.portnox.com/agentinstall
clearsupport@portnox.com 11 www.portnox.com
� QUICK START GUIDE
Portnox AgentP Enrollment (Continued)
6a.
Install AgentP on the device and enroll. The user can create either:
A Portnox CLEAR account, using his corporate email; or
A Directory account based on the user’s identity if the organization deployed
and configured a Portnox™ Active Directory Broker (Step 3) AgentP supports
enrollment using federated services (MFA) with Azure, Okta and G Suite
Portnox Agentless & IoT Device On-Boarding
6b.
The options below are to support on-boarding of user devices without
AgentP and of devices that cannot support an agent such as printers,
VoIP and other internet-of-things (IoT) devices.
CLEAR admin onboarding. In this case, create user accounts using
Create new account in the Portal’s Devices page. You can
create the following types of user accounts:
A Portnox CLEAR account, based on a user’s corporate email
A Directory account based on the user’s identity (on-prem Active Directory,
Azure AD, G Suite or Okta UD), if the organization deployed and configured a
Portnox™ on-prem Active Directory Broker (Step 3)
clearsupport@portnox.com 12 www.portnox.com
� QUICK START GUIDE
Portnox Agentless & IoT Device On-Boarding (Continued)
6b.
A MAC-based account, based on a device’s MAC address. Intended mainly
for Internet of Things devices
A Contractor account, based on a user’s non-corporate email
AgentP is mandatory for continuous risk monitoring, risk-based access
! controls and remediation.
Self-onboarding. In this case, you must:
Go to Settings > Services > CLEAR General Settings > Self On-
Boarding, and check the Allow self on-boarding by end-users option.
Send users the URL of a self on-boarding site, where each user can create
either:
A Portnox CLEAR account, using his corporate email; or
A Directory account based on the user’s domain identity (on-prem
Active Directory, Azure AD, G Suite or Okta UD), if the organization
deployed and configured a Portnox™ on-prem Active Directory
Broker (Step 3)
Note that security risk assessment and scoring cannot be
! performed for non-AgentP devices.
Guest Access Management (Optional)
7
Portnox CLEAR supports several methods of onboarding and
managing your guest network access. Download the Guest
Network Management Guide from the CLEAR portal for
configuration guidelines.
Technical questions or issues? Purchase CLEAR or license cost questions?
Email: clearsupport@portnox.com Email: clearsales@portnox.com
clearsupport@portnox.com 13 www.portnox.com
�About Portnox
Portnox provides simple to deploy, operate and maintain network security, visibility and access
control solutions. Portnox software can be deployed on-premises, as a SaaS/cloud-delivered
service, or in hybrid mode. It is agentless and is vendor agnostic, allowing organizations to maximize
their existing network and cybersecurity investments. Hundreds of enterprises around the world rely
on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The
company has been recognized for its innovations by Info Security Products Guide, Cyber Security
Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX, Cyber
Defense Magazine and more. Portnox has offices in the U.S., Europe and Asia.
www.portnox.com // clearsupport@portnox.com
