Preventive measures: What to do to avoid outages
In this topic, you will learn what preventive steps you can take to avoid disruption of your services secured by Portnox™ Cloud, if there are faults or outages.
If you use Portnox Cloud, your other business services such as networking or applications become dependent not just on Portnox Cloud, but also on your ISP and the connection to the Internet.
If you do not take any preventive measures, here is what can happen in case of temporary problems:
-
If you use Portnox Cloud to authenticate your users and devices onto your business networks, your users and devices may be unable to join networks secured by Portnox Cloud until the problem is fixed.
-
If you use Portnox Cloud for TACACS+, you may be unable to administer your network devices until the problem is fixed.
-
If you use Portnox Cloud for Conditional Access to Applications, your users may be unable to log on to your business applications until the problem is fixed.
Such temporary service disruptions may happen, for example, in the following circumstances:
- Most common: If there is an Internet outage, for example, if you lose connection to your ISP or if your ISP is experiencing problems.
- Less common: If there is a fault in the configuration, for example, if you delete an important file such as a certificate, or if you make a mistake when reconfiguring Portnox Cloud.
- Very rare: Due to problems with Portnox Cloud itself or the Microsoft Azure infrastructure.
The following are preventive measures that you can take to avoid the problems listed above:
Install a local RADIUS server
The Portnox Cloud local RADIUS server is a cache and a proxy to Portnox Cloud services. You run it on your premises, in a virtual machine or in a Docker container.
For the local RADIUS server to work as a preventive measure, you must configure your NAS devices to connect to the local RADIUS server as the primary server, because only then user information can be cached. If you configure your cloud RADIUS servers as your primary servers, the local RADIUS server is not used as long as the cloud RADIUS servers work, and so it has no cached data.
- Advantages:
- All your users and devices that authenticated to the network in the last 7 days will be able to authenticate for 7 days more without any connection to cloud RADIUS servers.
- This measure will be fully effective in case of Internet/ISP outages and Cloud/Azure outages.
- Disadvantages:
- New users and devices, as well as those that did not authenticate in the last 7 days, will not be able to authenticate.
- This measure will not be effective if the outage is caused by severe service disruption.
- This measure will not be effective for Conditional Access for Applications.
You can install more than one local RADIUS server, for example, in different locations in your infrastructure.
To learn how to install and configure local RADIUS servers, see the following topics: Set up a local RADIUS server using a virtual machine and Run the local RADIUS server in a container.
Configure critical authentication on NAS devices
Many modern NAS models offer functionality that is called critical auth VLAN, critical authentication, fallback VLAN, authserver timeout VLAN, auth service-unavailable VLAN, 802.1X authentication escape, or similar. All these functions mean the same thing: if for any reason your NAS device cannot reach the Portnox Cloud servers, you can decide that any current or new devices are automatically assigned to a specific VLAN, for example, to allow them access to the Internet but to keep your sensitive networks secure.
- Advantages:
- All your users and devices, no matter when they authenticated before, including new ones, will be assigned to the critical authentication VLAN and will be able to access services allowed by this VLAN’s configuration.
- This measure will be fully effective in every case, including when the outage is caused by severe misconfiguration of Portnox Cloud.
- Because the critical authentication VLAN is only accessible temporarily in the unlikely event of a service disruption, you can configure it to be the most permissive VLAN, allowing users to access all the things they might need during an outage.
- Disadvantages:
- Your users and devices will have the same access to all services permitted by the critical authentication VLAN, independent of what group these users are from, for example, both your marketing and IT departments would have the same permissions to the network.
- Critical authentication must be configured by your specialist network engineer on your equipment.
- Not all switch models and not all manufacturers offer such functionality.
To learn how to configure critical authentication, consult your switch documentation. We included as much information as we could in our configuration guides as well, see Configuring NAS devices for RADIUS access.