The chance discovery of a consultant plugging in a laptop on its network led Missouri insurance company GEHA to install NAC as a means for segregating visitors from the corporate LAN.

Since installing Nevis Networks' LANenforcer devices on its network this fall, the company has used it to control unauthorized visitors, but has held off using other features except for monitoring purposes, says Justin Gerharter, systems engineer for the firm.

Eventually, the company will use the gear to scan endpoints to make sure they comply with security posture and to monitor behavior of devices after they are on the network to make sure they behave according to policy.

The company saw a need for NAC in July when it caught an unauthorized user logging in. "One day the guy sitting next to me happened to be going through DHCP scopes and saw an unfamiliar network name associated with an IP address," says Gerharter. "Sure enough, it was a consultant who had plugged a laptop in. That was the incident that drove home the need for [NAC]."

The consultant wasn't up to mischief, but the incident set off a wave of concern. "The question was raised, how many times has this happened?" Gerharter says.

The desire was to make sure that every machine that got on the network at the very least was authorized to be there, he says. "If they were on, we wanted to make sure we had control over where they could get to," Gerharter says.

The company sought advice on which NAC vendor to use from its resellers and came back with Cisco and Nevis as options. The company tested Nevis gear at a VAR's demonstration site. It tried but could not schedule a test of the Cisco gear, so Gerharter chose Nevis.

He liked that the Nevis device is in-line and plugs into access switches, becoming an enforcement point for the NAC policies. The company has about 25 Cisco access switches that feed into a Cisco core. The company required one LANenforcer 2024 at each site plus a LANsight management platform.

To put the device in place, he unplugged the connections between the access and core switches and plugged them into the LANenforcer instead. The device is set up with port pairs, one port taking the connection from the access switch, one taking the connection to the core switch. "You plug the edge switch into the top port and the core switch into the bottom port of the same port pair," he says.

Setting up NAC policies took very little training, he says. Guests have only one option, which is Internet access. That access for guests could be expanded if the need arose, he says. For company users and wired desktops, GEHA is running in monitoring mode only to gather logs of network behavior. The plan is to implement access policies for them next year.

GEHA ran across one glitch that temporarily stalled out its Avaya IP phones, Gerharter says.

When Avaya phones boot, they boot first into the data VLAN to receive its IP options, then reboot into the VoIP VLAN, Gerharter says.

GEHA configured the Nevis box so it inadvertently restricted this process. The Nevis policy that was set identified the phones by MAC address and allowed access only to the VoIP VLAN. That effectively locked the phones off the network because they had no way to go through the first half of their booting process, he says.

"We were making the network more secure than we needed to, and for these phones it created a problem," he says. He says Nortel phones boot in a similar way; Cisco's don't.

In addition to restricting guests to the Internet, the Nevis gear provides logs that reveal more detail about network traffic than Gerharter could get before. "We discovered things we never thought about as far as what people are doing and where they're going. There's been many unplanned benefits," he says.