Portnox Cloud best practices

In this topic, you will find technical suggestions prepared by Portnox staff to help you make informed decisions about your Portnox Cloud deployment.

Authentication repositories

Should I use manual or automatic provisioning for an authentication repository?

Most of our customers use automatic provisioning. We recommend starting with automatic provisioning. If it does not meet your requirements, you can remove it and switch to manual provisioning.

The choice between automatic and manual provisioning is available only for the Entra ID authentication repository. For Google Workspace, only automatic provisioning is supported, while Okta always requires manual provisioning using the REST API or LDAP.

Can I use a hybrid configuration with Active Directory and Entra ID?

Yes, you can configure Portnox Cloud to work with both Entra ID and Active Directory. However, by default, Entra ID takes precedence. Users and devices found in Entra ID bypass synchronization with on-premises AD.

If you use AgentP with unattended enrollment, you can override this behavior by enabling the option to prefer on-premises AD over Entra ID.

How many Portnox LDAP Brokers should I use?

We recommend deploying at least two Portnox LDAP Brokers if you use Portnox Cloud with Active Directory or an on-premises LDAP directory. If an LDAP Broker becomes unavailable for any reason, you will lose the ability to authenticate on the network and more. The LDAP Broker is lightweight and easy to deploy.

How do I deploy LDAP Broker securely?

We strongly recommend treating LDAP Broker as a Tier 0 application because it requires high-level permissions in the local AD or LDAP directory to function. A compromise of the LDAP Broker could give an attacker full control over your local directory.

Cloud RADIUS and local RADIUS

Should I use only Cloud RADIUS servers or local RADIUS?

We recommend a hybrid setup used by most customers: deploy local RADIUS servers as primary servers on NAS devices and optionally configure Cloud RADIUS servers as secondary servers. If you configure only Cloud RADIUS servers, an Internet outage will prevent local users from logging in. We recommend this approach only if all resources are cloud-based and the local network exists solely to provide Internet access.

How many local RADIUS servers should I use?

We recommend deploying at least two local RADIUS servers. They are inexpensive to run, and having multiple servers ensures redundancy. The number of local RADIUS servers depends on the capabilities of your NAS devices and available configuration slots.

Should I run a local RADIUS server in a VM or Docker?

We recommend running local RADIUS servers in Docker because it is easier to set up and uses fewer machine resources. It also supports CoA functionality (virtual machines do not). Virtual machines offer automatic updates. Docker-based deployments require the portnox-autoupdate container.

Does it make sense to run a local RADIUS server in a cloud service?

Although supported on Azure, AWS, and Google Cloud, we recommend running the local RADIUS server on-premises to ensure availability during Internet outages. This does not improve security because communications are already secured with TLS and optional RadSec.

Should I use RadSec if it is available on my NAS device, or is RADIUS secure enough?

Most customers use RADIUS without RadSec when using secure EAP methods such as EAP-TLS and EAP-TTLS. RadSec is recommended if using less secure credential-based methods such as PEAP. The main drawback of RadSec is increased configuration complexity.

Authentication methods

Should I use certificates, credentials, or MAC-based authentication?

We strongly recommend using certificates for authentication using EAP-TLS. Credentials should be used only when absolutely necessary and preferably only with on-premises authentication repositories. MAC-based authentication should be treated as a last resort for devices that do not support other methods.

Should I use user certificates or device certificates?

User certificates are recommended for individual or multi-user devices. Device certificates are preferable for kiosks and devices without user accounts. Device authentication is available only with Entra ID, Active Directory, or on-premises LDAP.

Should I use Portnox certificates or my own certificate authority?

We recommend using the certificate authority provided by Portnox Cloud for ease of configuration and management.

Agent-based and agentless onboarding

Should I use AgentP or can I authenticate and configure my devices without it?

Most customers use AgentP because it simplifies device configuration and provides additional benefits. Using UEM or MDM platforms without AgentP is possible but more complex. Risk assessment without AgentP requires Intune or Jamf.

Should I use single-user, multi-user, or device onboarding with AgentP?

Multi-user onboarding is recommended for shared devices. Single-user onboarding is recommended for personal devices. Device-based authentication is recommended for devices without users.

Should I distribute AgentP to all the machines in my networks?

We recommend distributing AgentP using existing UEM or MDM software. Users can also manually install AgentP on BYOD devices.

What should I do with outdated BYOD devices that have AgentP installed?

Outdated or unmanaged devices should be blocked first and optionally deleted later. Deleting without blocking allows re-enrollment and network access.

Network device configuration

Should I configure NAS devices in any special way to work best with Portnox Cloud?

Configure critical authentication or critical VLAN if supported. Use monitoring mode when testing new NAS device configurations.

Portnox groups and policies

What is the best way to set up Portnox groups?

Keep the Default group as a catch-all with minimal access. Create only the minimum number of groups required.

What is the best way to set up Portnox policies and sites?

Keep the number of policies to a minimum. Use sites only when necessary.

Migration

What is the best way to migrate from the current network setup to a setup based on Portnox Cloud?

Create a parallel SSID to safely test before retiring the legacy SSID. Reusing the existing SSID is possible but carries higher risk.

What is the best way to migrate a local RADIUS server from a virtual machine to Docker?

  1. Select the VM-based local RADIUS server to replace.

    If you have multiple VM-based local RADIUS servers, migrate them one by one: complete the full process for the first server before starting the next.

  2. Change the priority of RADIUS servers in NAS device configurations so that Portnox Cloud RADIUS is the primary server, not the VM-based local RADIUS.

    Note:
    If you can’t use Cloud RADIUS servers, simply leave one VM-based local RADIUS server running while you migrate the others and use that server as your primary RADIUS during migration.
    Note:
    Optionally, you can configure NAS devices to accept Change of Authorization (CoA) packets if required by following the NAS switch documentation on CoA. This is not directly related to migration, but Docker-based local RADIUS servers give you that option.

  3. Turn off the selected VM-based local RADIUS server. Do not delete it yet; keep it powered off in case you need to roll back.

  4. Deploy the Docker-based local RADIUS server:

    • Create the Docker-based local RADIUS server by following the guide.

    • Assign the same IP address, ports, and shared secret as the VM-based server. This minimizes NAS configuration changes and reduces the risk of errors.

  5. Confirm that the Docker-based local RADIUS server shows as Active in the Portnox Cloud portal.

  6. Update NAS device RADIUS server priority to point to the Docker-based local RADIUS instance as the primary server.

    Note:
    If you kept the same IP, ports, and shared secret, you can revert to the previous configuration if your NAS devices give you such an option. Otherwise, simply adjust the priority again.

  7. Repeat this process for each remaining VM-based local RADIUS instance.

What is the best-practices migration process from a different solution to Portnox Cloud?

  1. Planning

    1. Inventory current SSIDs, VLANs, ACLs, DHCP scopes, and related components.

    2. Document existing authentication and segmentation policies.

    3. Define migration goals.

  2. Lab testing and pilot roll-out

    1. Create a test SSID using Cloud RADIUS.

    2. Validate authentication across device types.

    3. Confirm VLAN assignment and fallback behavior.

    4. Enable monitoring mode.

    5. Start with early adopters.

    6. Monitor results in Devices and Alerts.

  3. Staged deployment

    1. Expand migration gradually.

    2. Ensure certificates or AgentP are deployed.

    3. Whitelist MAC addresses if needed.

  4. Validation

    1. Confirm RADIUS redundancy.

    2. Validate certificate workflows.

    3. Verify VLAN and policy assignments.

  5. Legacy SSID retirement

    1. Disable old SSIDs after full coverage is confirmed.

    2. Ensure fallback VLAN exists.

  6. Post-migration cleanup

    1. Disable monitoring mode.

    2. Remove obsolete SSIDs.

    3. Audit NAS devices.

    4. Update internal documentation.