Portnox - Simple SaaS for AAA Services (Radius/TACACS+)

Okay, I know what you're thinking – "Ah, not another SaaS product, especially for AAA, which is a crucial part of our Network!" And I totally get it. As Network Engineers, we're used to having full control over our Authentication Servers, whether it's Cisco ISE, ClearPass, or NPS. The thought of trusting someone else with this critical task might seem a bit off at first. Why hand over the wheel when you've been driving all along, right? But here's where things get interesting. Let me introduce you to Portnox.

💡
I want to make it clear that I have no affiliation or partnership with Portnox. This post is purely based on my personal views and experiences 🙂

Who/What is Portnox?

Portnox is a company specializing in cloud-native network access control (NAC), operating within the network industry. They offer a range of services including zero trust access control, network authentication, endpoint risk monitoring, and endpoint remediation. These services are designed to enhance security for various network types, such as wired and wireless, and support a wide range of compliance requirements.

Their solutions are known for being easy to use and maintain, and they aim to make network security more straightforward for IT professionals. Their platform integrates with systems like Active Directory, and Azure AD and offers capabilities like 802.1X, RADIUS and TACACS+

What Problem Does it Solve?

Portnox offers a solution that particularly benefits smaller businesses or those without the resources to manage dedicated hardware and services for network security. Implementing and managing 802.1x or TACACS+ can be challenging, especially when it involves provisioning and maintaining your own server. While Cisco ISE is a robust and preferred product for many, including myself, Portnox's SaaS platform presents a more accessible option for smaller or resource-limited companies.

By using Portnox, you simply point your RADIUS/TACACS+ servers to their cloud endpoints. This shift significantly reduces the complexity and resource demands of managing network security. With Portnox, the focus moves to configuring and managing policies on their user-friendly SaaS platform, streamlining the entire process and making it more manageable, especially for smaller teams or businesses.

Radius - How Does it Work?

Setting up RADIUS with Portnox is quite straightforward. First, you deploy a Cloud RADIUS instance on their platform, which will then provide you with a public IP address. This IP address is used in your wireless controllers or switches. For example, when you implement 802.1X, all your queries for authentication, authorization, and accounting will be directed to Portnox.

Additionally, Portnox allows you to synchronize your Active Directory (AD) groups and members using their AD broker. This broker is installed on an AD-joined Windows server, enabling it to sync your groups with Portnox, seamlessly integrating your existing user management systems with their platform.

💡
Portnox also provides an option for Local RADIUS instances. This is useful if you prefer not to send your queries directly to their public IP. With local instances, you point your switch or access point to this internal IP address, which then forwards the queries to Portnox's SaaS public IPs. A key benefit of these local instances is their ability to cache credentials. In the event that Portnox becomes unreachable, users can still log in, provided they authenticated during the cache window. This feature adds an extra layer of reliability to the service.

TACACS+ - How Does it Work?

TACACS+ integration with Portnox operates differently due to the nature of TACACS+ packets not containing the IP address of the Network Access Server (NAS) devices. This means that once these packets leave your network, they only carry your company's NATed public IP address, making it challenging for Portnox to identify the originating device. This is more a limitation of the TACACS+ protocol rather than an issue with Portnox.

To address this, you need to deploy local TACACS+ instances within your network. These instances can be lightweight VMs or even Docker containers and can be installed in cloud environments like AWS or Azure. Portnox fully manages these instances post-installation. In your network setup, you direct your devices to the IP addresses of these local TACACS+ instances, which then communicate back to the Portnox Clear Platform, ensuring a seamless integration.

What's Not So Good?

  1. Latency and DR - Since every request travels over the Internet. what happens if there is an outage on their side?
  2. Dependence on External Service - In a typical 802.1X enabled network, having ISE PSNs in each office or nearby data center provides redundancy. Relying solely on a SaaS service like Portnox might pose risks during service outages or network issues.
  3. Limited Customization - Like many SaaS platforms, Portnox abstracts many low-level details. This means you might lose the ability to tweak or fine-tune configurations to the same degree you could with an in-house solution. This lack of granularity could be a limitation for those who need highly customized setups.
  4. Troubleshooting Challenges - When issues arise with a network managed by Portnox, troubleshooting can become more complicated. Unlike managing your own servers where you have direct access to logs and settings, with Portnox, you'll need to rely on their support team for access to logs and guidance on potential fixes. This dependency can potentially delay resolution times and limit your immediate visibility into issues.

Closing Up

In conclusion, Portnox offers a convenient SaaS solution for managing network security, specifically AAA services like 802.1x and TACACS+. While it simplifies deployment and management, especially for smaller businesses or those with limited resources, it does come with its own set of challenges. These include potential latency issues, dependence on an external service, limited customization, and troubleshooting complexities. Ultimately, choosing Portnox should be a decision weighed against these factors, balancing the ease of use and resource savings against the potential limitations and dependencies it introduces.