Results — Selected work

Case studies.

Three representative NAC engagements across the sectors we work in most. Client names are withheld under NDA; sectors and outcomes are described in anonymised form.

Case 01 · BFSI

Salvaged a stalled ClearPass rollout

A private-sector bank had spent months on a vendor-led Aruba ClearPass deployment that never reached production. Guest and employee onboarding worked in demos but broke under real branch traffic, and the security team had lost confidence in the platform.

Service: Troubleshooting → phased re-implementation · Duration: 12 weeks · Platform: Aruba ClearPass

Outcome
~70%

Fewer authentication incidents

Authentication-related helpdesk tickets fell by roughly 70% within the first month of cut-over.

12 wks

To production sign-off

Reached formal production acceptance in 12 weeks, against a rollout that had stalled for the better part of a year.

5 → 0

Open severity-1 defects

Cleared the standing list of critical onboarding defects by walking the R-P-Po-V-E-A tree end to end.

Situation

A private-sector bank bought Aruba ClearPass to control who gets onto the network across its head office and branch estate. The rollout was vendor-led and ran for roughly nine months. Wired 802.1X for staff, self-service onboarding for guests, role-based access for everyone. In the lab it worked. On paper the project was complete and ready to sign off.

Complication

Production told a different story. Branch switches were intermittently dropping supplicants into the reject VLAN. Guest self-registration timed out under real traffic. Printers and IP phones bounced between roles and lost connectivity. The helpdesk was buried in "I can't get on the network" tickets, and the security team had stopped trusting the platform. Worst of all, a handful of branches had quietly switched their access ports back to open — disabling the very control the bank had paid to introduce. The deployment had stalled, and nobody could say exactly why.

Approach

We did not rip it out and start again. We ran the R-P-Po-V-E-A tree against the live environment. RADIUS: Change-of-Authorization packets were being dropped by a firewall sitting between the branches and the ClearPass cluster, so re-authentication failed silently. Profile: the fingerprint database was stale, leaving printers and phones unclassified and falling through to a deny role. Policy: enforcement rules were ordered so a broad catch-all matched before the specific device rules ever fired. VLAN: the return attributes were correct, but a switch configuration template was overriding them locally. Enforce and Audit: there was almost no useful logging, which is why none of this had been visible.

From there we re-implemented on PVESIC. We rewrote policy from the bank's actual access model downward, rebuilt device profiling with both active and passive methods, corrected the CoA path, standardised the switch templates across sites, and turned on access tracking so every decision was recorded.

Result

Authentication-related helpdesk tickets fell by roughly 70% within the first month of cut-over. The deployment reached formal production sign-off in 12 weeks, against a rollout that had been stuck for the better part of a year. The standing list of five severity-1 onboarding defects was cleared to zero, and the branches that had opened their ports were back on enforced 802.1X. The product was never the problem. The implementation was.

Case 02 · Manufacturing

Segmented OT from IT across six plants

A discrete-manufacturing group ran flat networks where plant-floor OT and corporate IT shared the same broadcast domains. A single infected laptop could — and on one occasion nearly did — halt a production line.

Service: Implementation · Duration: 16 weeks across 6 sites · Platform: Cisco ISE

Outcome
0

Unplanned OT outages

No production downtime attributable to network access since the segmentation cut-over.

6

Plants standardised

One consistent segmentation and enforcement model deployed across all six facilities.

100%

Endpoint visibility

Every OT and IT device now profiled and placed in a segment aligned with the plant risk model.

Situation

A discrete-manufacturing group ran six plants across the country. At each site, corporate IT and plant-floor OT — PLCs, HMIs, SCADA servers, historians — shared the same flat Layer 2 networks. In places a single broadcast domain stretched across an entire site. The group had licensed Cisco ISE, but it was only doing basic wired authentication in the office areas. The plant floor was untouched.

Complication

A flat network means a compromised laptop or a contractor's device can reach a PLC directly. On one occasion a malware-carrying vendor laptop very nearly took a production line down — a problem caught by luck rather than by design. This was no longer just a security exposure; it was a production risk. And OT does not forgive the usual NAC playbook: you cannot point 802.1X at a fifteen-year-old HMI and expect it to authenticate, and you cannot tolerate the downtime that a heavy-handed enforcement mistake would cause.

Approach

We applied PVESIC, OT-first, with visibility before enforcement. Every OT and IT endpoint was profiled using ISE profiling and passive discovery — no active scanning near fragile OT gear. Segregation was designed with the plant engineers, not imposed on them: zones for control-level devices, SCADA, engineering workstations, corporate IT, and contractors, each mapped to the plant's own risk model. Enforcement was graded. We ran in monitor mode first, used MAB and static assignments for devices that could not do 802.1X, and applied dynamic VLAN and SGT policy only where it was demonstrably safe.

The rollout went plant by plant on one consistent model, fully change-controlled, with runbooks and Tier-2 training so each site's team could operate it without us.

Result

There have been zero unplanned OT outages attributable to network access since cut-over. All six plants now run the same segmentation and enforcement model, and every device on every site is profiled and placed in a risk-aligned segment. A contractor laptop can no longer see a PLC. The whole programme took 16 weeks across the six sites.

Case 03 · IT Services

Passed an ISO 27001 NAC audit, first attempt

A fast-growing IT services firm needed ISO 27001 certification but had no defensible evidence that its network access controls actually worked. The access-control clauses were the largest gap in their readiness review.

Service: Audit readiness · Duration: 6 weeks · Framework: PVESIC · Platform: FortiNAC

Outcome
0

Non-conformities

Cleared every network access-control clause with zero non-conformities at the certification audit.

6 wks

To evidence-ready

A complete PVESIC evidence pack assembled and validated in six weeks.

1

Consolidated evidence pack

A single auditor-ready bundle covering policy, visibility, enforcement, segregation, incident response, and change.

Situation

A fast-growing IT services firm was going for ISO 27001 certification, largely to satisfy enterprise clients who now required it. FortiNAC was already deployed and running. But the internal readiness assessment flagged network access control as the weakest area in the whole submission — the one most likely to produce a finding.

Complication

FortiNAC was enforcing access, but nobody could produce evidence an auditor would accept. There was no documented policy tying business access rules to what the platform actually did. The device inventory lived in three separate tools that disagreed with each other. Enforcement was happening, but it wasn't logged in a way that showed cause and effect. And the audit was six weeks out. A non-conformity on access control could delay certification past a client's contractual deadline — turning a compliance exercise into a commercial problem.

Approach

We used PVESIC as an evidence framework rather than an excuse to rebuild a working system. Policy: we documented the network access policy — who, on what device, under what conditions — and mapped each statement to a specific FortiNAC rule. Visibility: we reconciled the three inventories into a single source of truth taken from FortiNAC. Enforcement: we demonstrated quarantine and VLAN actions live and captured before-and-after evidence of each. Segregation: we mapped the network segments back to the firm's risk register. Incident Response and Change: we documented the playbook for enforcement events and the change trail for policy edits.

All of it was assembled into one consolidated, auditor-ready pack an assessor could read top to bottom without chasing loose ends.

Result

The firm cleared every network access-control clause with zero non-conformities, on the first attempt. The complete PVESIC evidence pack was assembled and validated in six weeks. Certification landed on schedule, and the client deadline was met. Nothing about the FortiNAC deployment changed — we simply proved, in a form an auditor trusts, that it did what it was supposed to.

We had written the platform off. Pavak proved the product was fine — our implementation wasn't. Ninety days later it just works, quietly, the way NAC is supposed to.

CISO, private-sector bank Identity withheld under NDA · BFSI engagement
Your environment next

Tell us what's broken.

Start a conversation