Reactive measures: What to do if an outage happens

In this topic, you will learn what reactive steps you can take to maintain partial access to your services secured by Portnox™ Cloud in case of a fault or an outage.

Important: Before you take reactive measures, make sure that you took all possible preventive measures. In most circumstances, with preventive steps in force, you will not need to take on any reactive measures.

Turn on the monitoring mode

Important: This measure will not work in case of an Internet/ISP outage. It is meant for temporary recovery from severe Portnox Cloud misconfiguration.

When you turn on the monitoring mode, all devices trying to connect to the NAS will be granted access, no matter if they can authenticate or not. However, if there are issues with the configuration, Cloud will still generate alerts to inform you of these problems.

To turn on the monitoring mode for your entire network (for severe cases only), see the following topic: Turn on the global monitoring mode.

To turn on the monitoring mode only for some NAS devices (when the fault affects only part of your network), see the following topic: Turn on monitoring mode for a NAS device.

Configure critical authentication on NAS devices

Critical authentication is listed as a preventive measure and we strongly recommend to treat it as a preventive measure, not a reactive measure. However, if you did not configure critical authentication, you can also do this during an outage/fault with the same results.

Turn on force authorized mode on NAS devices

When you configure authentication on NAS devices, you have an option to choose one of the following operational modes:

  • auto: Devices that authenticate correctly using 802.1X are allowed access. Devices that fail 802.1X authentication are denied access.
  • mac-based: Devices are allowed access or denied access depending on their MAC addresses.
  • force authorized: All devices are treated as authenticated (force the NAS to treat all devices as authorized).
  • force unauthorized: All devices are denied access (force the NAS to treat all devices as unauthorized).

When you have an outage, you can access your NAS device and temporarily change this mode to force authorized. However, this will mean that every device that connects to the NAS will be given access. For security reasons, you may want to temporarily reconfigure your primary VLAN to not give access to any sensitive information.

After the outage is over, you need to reconfigure your NAS devices back to their original settings.

Note: This measure should be treated as a fallback measure in case everything else fails, because it requires the most work and it carries the most security risks.

To turn on the force authorized mode, consult your NAS device documentation. Check in your device documentation if you can do this for a template that is applied to many interfaces, which will make the process faster. We also strongly recommend to learn how to change the mode to force authorized before an outage happens.