// ENTERPRISE NETWORKING / NETWORK ACCESS CONTROL
Decide who gets on the network, and what they reach.
The LAN is full of devices nobody chose to manage: cameras, badge readers, contractors' laptops, OT controllers. We design and deploy NAC and segmentation across Cisco ISE, Aruba ClearPass and Forescout, roll it out monitor-to-enforce so nobody gets locked out, then hand it over, all under your brand.
Start a NAC conversationA flat network trusts everything that plugs in.
Most enterprise LANs still hand out the same access to a managed laptop, an unpatched IoT camera and a contractor's personal phone, because the network was built for connectivity, not for proving who and what belongs on it. The estate of unmanaged and OT devices has exploded, and a flat network lets a single compromised endpoint move laterally to anything in minutes. Zero trust stops at the perimeter for most clients; it needs to reach the switch port. We design and deploy the access control and segmentation that makes the LAN prove identity and contain blast radius, then hand it over for your client's team to run. The control lands under your brand.
What we deploy.
NAC Design & Deployment
Cisco ISE or Aruba ClearPass architected to the estate, sized for the device count and integrated with Active Directory, MDM and the existing switching. Deployed in monitor mode first so we see every endpoint before a single one is denied, then enforced, then handed over to your client's team to run.
802.1X & Certificate Auth
Port-based authentication with EAP-TLS and machine or user certificates, so identity is proven by a certificate rather than a password that can be shared or phished. We stand up the PKI integration, the supplicant configuration and the fallback paths, then document the lot.
Segmentation & Microsegmentation
Cisco TrustSec with Security Group Tags, or dynamic VLAN assignment on Aruba, so a compromised laptop cannot reach the finance servers or the building management system. Policy follows the user and the device, not the switch port they happen to plug into.
Device Profiling & IoT Visibility
Agentless profiling with Forescout, ISE or ClearPass fingerprints every camera, badge reader, infusion pump and PLC the moment it joins. You get a live inventory of the unmanaged and OT estate that no agent could ever cover, and a policy for each device class.
Guest & BYOD Onboarding
Self-service guest portals, sponsor approval and certificate-based BYOD enrolment that puts personal devices on the right segment without a help-desk ticket. Contractors and personal phones get access that is scoped, logged and time-bound.
Posture & Compliance Enforcement
Endpoints checked for disk encryption, patch level, EDR presence and firewall state before they reach anything sensitive, with non-compliant devices quarantined to a remediation VLAN. The control maps directly to NIS2 and Cyber Essentials evidence.
The numbers behind the access problem.
How the options compare.
What your client gets from an open network, a single-vendor reseller, or our team under your brand.
Network access, answered straight.
01 Cisco ISE or Aruba ClearPass, which one?
It depends on the estate. ISE is the natural fit where the network is already Cisco and the client wants TrustSec segmentation and deep integration with the wider Cisco security stack. ClearPass is genuinely multi-vendor and often the better choice on mixed or Aruba switching, with strong agentless profiling out of the box. We design for whichever serves the client, not whichever we prefer to sell, and we deploy Forescout alongside either one when device visibility is the priority.
02 How do you handle IoT and OT devices that cannot run an agent?
Agentlessly. A camera, badge reader or infusion pump will never run a supplicant, so we profile it instead: ISE, ClearPass and Forescout fingerprint each device by its behaviour, DHCP signature and traffic pattern, then place it on a segment scoped to exactly what it needs to talk to. The result is a live inventory of the unmanaged estate and a policy per device class, with no software touching the device.
03 Will turning on NAC lock our client's users out?
Not the way we run it. Every deployment starts in monitor mode, which authenticates and logs every endpoint but denies nothing, so we can see the full picture, fix the stragglers and tune policy against real traffic. Only once the estate is clean do we move to enforcement, segment by segment. The phased path is the whole point: visibility first, enforcement second, no Monday-morning outage.
04 Who runs the NAC platform after it goes live?
Your client's team does, or your team under your brand. We design, deploy, tune and validate the platform, then hand it over with the policy model, the runbooks and the knowledge transfer to operate it. Belico builds and hands over on a project basis; we are not a managed service and we do not run the platform on an ongoing contract. If you offer NAC operations under your own brand, we are happy to be the engineering behind it.
05 Does this help with NIS2 and segmentation requirements?
Directly. NIS2 Article 21 expects network segmentation and access control as baseline cyber hygiene, and a NAC plus segmentation build is the clearest way to evidence it. We package the segmentation architecture, the policy matrix and the enforcement evidence so the control is auditable rather than asserted, and the same artefacts support Cyber Essentials and ISO 27001.
06 We already run 802.1X. Can you build on it?
Yes, and that makes the project faster. If wired and wireless 802.1X is already in place, the heavy lifting of supplicant configuration is largely done, so we extend it into full NAC: profiling for the devices that cannot do 802.1X, posture checks on the ones that can, dynamic segmentation policy, and guest and BYOD flows. We meet the estate where it is rather than starting from a blank slate.
Tell us what your clients need.
A tri-cloud migration. A 200-site SD-WAN rollout. A security architecture before NIS2 hits. An AI system your client is asking about next quarter. We scope it, staff it, and deliver it under your brand. One conversation tells us if we are the right team.