Benjamin Franklin famously said that an ounce of prevention is worth a pound of cure. When it comes to access control, that prevention starts with planning for internet outages before they happen. Cloud-native access control delivers enormous advantages in scalability, visibility, and centralized policy enforcement—but real-world networks don’t operate in perfect conditions. Internet outages, degraded connectivity, and upstream service disruptions are a reality for many organizations, and when they occur, access control can quickly become a single point of failure. The question isn’t whether outages will happen. It’s whether access control is designed to fail safely when they do. Portnox addresses this challenge by building resilience directly into authentication and authorization workflows. Through features like critical authentication VLANs and a local RADIUS server, organizations can maintain secure, controlled access—even when connectivity to the cloud is interrupted. In this post, we’ll take a closer look at how Portnox helps ensure access control continuity during internet outages, and how customers can choose the right strategy for their environment without compromising zero trust principles.
Designing for Failure Without Abandoning Zero Trust
Zero trust assumes that environments are dynamic, unpredictable, and occasionally degraded. Network outages, upstream service disruptions, and local infrastructure failures are all realities that access control systems must account for. Resilience in this context doesn’t mean bypassing security controls. It means ensuring that access decisions remain intentional, auditable, and constrained—even when full connectivity isn’t available. Portnox approaches this challenge by building multiple layers of resilience into its access control architecture. Rather than relying on a single fallback mechanism, organizations can choose how access behaves during an outage based on their operational needs, risk tolerance, and environment.
Layer One Resilience: Critical Authentication VLANs
Critical authentication VLANs, also sometimes known as fallback VLANs or fail-open VLANs, provide a controlled fallback mechanism when authentication cannot be completed due to connectivity issues. When enabled, devices that are unable to authenticate normally—such as during an internet outage—are placed into a predefined VLAN with restricted access. This ensures users are not completely locked out, while still preventing unrestricted network access.
Key characteristics of a critical auth VLAN include:
- Intentional access limitations: Only essential resources are reachable.
- Predictable behavior: Network teams know exactly what happens during an outage.
- No fail-open risk: Devices do not receive broad network access by default.
This approach is especially valuable in environments where availability matters, but full access during an outage would create unacceptable risk. Rather than scrambling to apply emergency overrides, organizations can rely on predefined, least-privilege access paths that align with zero trust principles. Critical auth VLANs represent graceful degradation—not reduced security.
Layer Two Resilience: Local RADIUS Authentication
While critical auth VLANs provide controlled fallback, some organizations require authentication to continue even when internet connectivity is unavailable. This is where Portnox’s local RADIUS server comes into play. The local RADIUS server allows authentication requests to be handled locally, reducing reliance on external connectivity for access decisions. This enables organizations to maintain normal authentication workflows during outages, rather than shifting users into a limited-access state.
Local RADIUS is particularly useful in:
- High-availability environments
- Sites with unstable or intermittent internet connectivity
- Operational environments where restricted access would disrupt core functions
Importantly, this approach does not abandon zero trust. Authentication policies remain defined centrally, while enforcement continues locally. The result is continuity without compromising policy intent or control. Rather than treating outages as an exceptional case, local RADIUS authentication makes resilience part of everyday operations. To see how this works in practice, check out our documentation, and then watch our step-by-step video walkthrough that demonstrates how to configure and deploy the local RADIUS server.
Choosing the Right Resilience Strategy for Your Environment
There is no single “correct” approach to outage resilience. Different environments have different requirements, and Portnox is designed to support that flexibility. Critical auth VLANs are ideal when limited access is acceptable during an outage and simplicity is a priority. Local RADIUS authentication is better suited for environments that require uninterrupted access enforcement. Many organizations choose to use both, layering controlled fallback access with continued local authentication to address multiple failure scenarios across sites and use cases. By offering multiple resilience options—individually or together—Portnox allows customers to design access control strategies that reflect real-world needs, rather than forcing trade-offs between availability and security.
Access Control That Holds Up Under Real-World Conditions
Internet outages shouldn’t force organizations into insecure decisions or reactive workarounds. With the right planning, access control can remain intentional, constrained, and aligned with zero trust—even when connectivity is disrupted. Portnox builds resilience directly into its access control platform, giving organizations the tools they need to maintain continuity without sacrificing control. Whether through controlled fallback access or continued local authentication, customers can ensure their access policies hold up under real-world conditions. When it comes to access control, preparation really is worth far more than a cure.