Cloud-hosted network access control

Know every device. Control every connection.

Arbiter helps you decide which devices can access your network and what they can do once connected. Cloud-hosted network access control built for SMEs and the MSSPs that support them.

Start free trial Explore the live demo

Free while Arbiter is in beta.

Free during betaEU-resident, NIS2 alignedCancel any time

Works with the network you already have

CiscoArubaJuniperMerakiUbiquitiMikroTikAny RADIUS-capable device
Profiling, in practice

See your fleet, classified, on day one

Every device that connects is identified and catalogued automatically, classified by type and vendor. The result is a complete, always-current asset inventory: the network visibility NIS2 and cyber insurers expect, with no agents to install on your devices.

327ENDPOINTS
Operating System6219%
IP Phone5216%
Access Point5015%
Access Panel4714%
Printer or Scanner3210%
Storage Device299%
Building Management System299%
Video Conferencing Equipment268%

Snapshot from a demo tenant. Categories derived from relayed DHCP fingerprints, RADIUS attributes and active scanning (NMAP).

Endpoints107 devices · liveImport CSVExport CSV
MACVendorDevice classAuth typeStatusLast seen
a8:11:b2:00:00:59Tuya Smart Inc.Internet of Things (IoT)MAB16 Jun, 10:48
00:0e:58:00:00:54Sonos, Inc.Audio, Imaging or VideoMAB16 Jun, 10:48
ac:cc:8e:00:00:4eAxis CommunicationsAudio, Imaging or VideoMAB16 Jun, 10:48
80:5e:c0:00:00:43Yealink NetworkVoIP DeviceMAB16 Jun, 10:48
e0:2f:6d:00:00:3dCisco Systems, IncVoIP DeviceMAB16 Jun, 10:48
8c:b0:e9:00:00:38Samsung ElectronicsPhone, Tablet or Wearable802.1X16 Jun, 10:48
00:1a:11:00:00:31Google, Inc.Phone, Tablet or Wearable802.1X16 Jun, 10:48
00:04:33:00:00:21Apple, Inc.Operating System802.1X16 Jun, 10:48

Recreation of the Arbiter endpoint inventory. Sample data.

Cyber-insurance and audit ready
Every device, every authentication verdict, every policy decision, recorded. The access-control evidence auditors and insurers ask for at renewal, already in the portal.
Unknown devices stay off
Plug an unknown laptop into a wall port or hop on guest WiFi and Arbiter decides whether it belongs on your network at all. Default-deny, with clean exceptions.
No on-prem NAC to maintain
A small Edge appliance tunnels to the cloud over RadSec. No NAC server farm to patch, no on-call rota, no consultants on retainer.
Every feature on every tier
Guest portal, MDM integrations, policy engine, SIEM forwarding. No advanced licence, no add-ons to bolt on later. Tiers differ by endpoint count only.
Zero-trust access

Move past shared passwords to certificate-based access

Shared passwords are easy to leak, difficult to manage and impossible to trust.

Arbiter replaces them with device identity, using certificates, EAP-TLS and 802.1X so only trusted devices can access your network.

Cloud-hosted PKI and RADIUS remove the operational burden, delivering enterprise-grade network access control, zero-trust security and audit-ready compliance as a cloud service.

How it works

A lightweight appliance between your switches and the cloud

Your switches speak standard RADIUS to an on-premises Edge. The Edge tunnels to the Arbiter cloud over RadSec. When the WAN drops, the Edge keeps authenticating on its own.

Switches authenticate against the Edge. The Edge forwards to the cloud, which applies your policy and records the audit trail.

Your site

Switches and access points across your offices

  • Laptops (802.1X)
  • Guest WiFi
  • Printers
  • IoT devices

Arbiter Edge

A tiny appliance pair that bridges your switches to the cloud

Local authenticationStandby

Tunnel healthy: 30-day MAB cache and local EAP-TLS server stay warm, ready to take over the instant the WAN drops.

Arbiter cloud

The policy engine, PKI and audit log

  • Policy decision
  • Per-tenant PKI
  • Audit trail
Up and running fast

Three steps to live

NAC has a reputation for being hard to roll out. Arbiter is not. You go from nothing to enforcing access in three steps, with no point where you risk locking yourself out of the network.

1
Deploy the Edge
About 10 minutes
Spin up the lightweight Edge pair on your own network. It opens a secure, outbound-only RadSec tunnel to the cloud. No inbound firewall changes.
2
Run in monitor mode
Zero network risk
Point your switches and access points at the Edge. Arbiter maps and profiles every device silently. Nothing is blocked, so you see exactly what is on your network.
3
Flip to enforcement
One-click security
Review your auto-generated inventory, then activate your rules. Unknown devices are quarantined or shunted to an isolated guest VLAN automatically.
Key capabilities

What is in every tier

All nine capabilities ship today, on every access control tier. No advanced licence, no per-feature surcharges, no add-ons to bolt on later.

NIS2 asset register
Turn device discovery into an audit-ready asset register. Track ownership, criticality, business function and location for every asset, with automatic enrichment from MDM and authentication data.
Explore this feature in the demo
RADIUS Insights
See the shape of your network. Understand how devices, identities and policies interact through authentication analytics across your environment. Explore access patterns over 24 hours, 7 days and 30 days, filtered by policy, NAS, MAC address, certificate or device class.
Explore this feature in the demo
RadSec via Arbiter Edge
Secure RADIUS communications over a single outbound connection, with mutual TLS authentication, resilient offline operation and centralised policy enforcement.
Policy Simulator
Test a rule against a real endpoint’s attributes and see the match count before it ever touches live RADIUS traffic.
Explore this feature in the demo
Guest WiFi captive portal
Enable secure guest onboarding with branded portals, time-limited accounts and network isolation.
MDM integrations
Intune and Jamf compliance posture is integrated directly into access policy decisions through read-only scoped accounts, with no per-device licensing costs.
Explore this feature in the demo
Arbiter PKI and BYO CA
Deploy certificate-based authentication with built-in PKI or your existing certificate authority. Certificate lifecycle management, rotation and revocation are included as standard.
Custom access profiles
Match on identity, certificate, MAC, OUI, device profile or time-of-day, emit standard VLAN and ACL attributes, export the full set as JSON or CSV.
Explore this feature in the demo
SIEM egress
Your security data, where you need it.
Forward authentication, policy and security events to Sentinel, Splunk, Elastic, syslog or any HTTPS-compatible collector.
Risk-free rollout

Will this break my network?

Arbiter ships in monitor mode by default. Roll it out and see exactly what would happen if your policies were enforced, for as long as you need, without denying a single device. Most customers go from zero to a working policy set without writing rules from scratch.

You move from "I hope this works" to "I have evidence this works" before enforcement ever goes live.

Try our demo tenant
Trust, but verify

Measured, not claimed

Arbiter publishes live service availability and authentication latency. The public status page updates every minute with 90 days of visible history, including p50, p95 and p99 latency. Probes fire every 15 seconds from London, Amsterdam and Paris.

From the dev log
24 June 2026 · 7 min read
NIS2 in Ireland: From Compliance Burden to Cyber Resilience with Arbiter

Prepare for NIS2 with Arbiter: automatic device discovery, wired and wireless network access control, managed PKI and a live asset register for compliance and cyber resilience.

Read article
Who it is for

Built for modern IT teams

SMEs running 50 to 1,500 endpoints
Real access control without enterprise complexity. Uplift blocks stack on the Enterprise tier when you grow past that.
MSPs adding NAC to their catalogue
Multi-tenant from day one. Per-tenant isolation, per-tenant billing and partner pricing.
Enterprise NAC without the infrastructure overhead
Get the power and flexibility of certificate-based authentication without managing RADIUS servers, PKI infrastructure, databases or upgrades.
Pricing

Transparent, monthly, no surprises

Start with Asset Discovery for visibility, or choose a network access control tier for full enforcement. Point your devices at Arbiter and cancel any time. Every access-control tier includes the full product: no feature gating and no per-feature surcharges. They differ by endpoint count only.

Hover a tier to see what is included
Device profilingAsset InventoryArbiter PKIBYO CA802.1X (EAP-TLS)MAB fallbackMonitor modeRecommendation enginePer-tenant RADIUS isolationIntune integrationRadSecGuest WiFi captive portalSIEM egress
Visibility
Asset Discovery
€29per month
Profiling only, no enforcement
Start free trial
Essential
€149per month
100 endpoints
Start trial
Most popular
Professional
€399per month
500 endpoints
Start trial
Enterprise
€999per month
1,500 endpoints
Start trial

Not ready for full network access control? Asset Discovery is the visibility-only entry tier: a 60-day free trial, then €29/month, with a one-click upgrade to an access-control tier when you are ready. It profiles and inventories your devices but does not enforce access.

Need more? Stack uplift blocks on Enterprise: +€199 / 500 endpoints (€0.40/ep), +€349 / 1,000 endpoints (€0.35/ep), +€699 / 2,500 endpoints (€0.28/ep). MSP partner pricing available. Discounts for longer terms.

Beta

Arbiter is currently in beta. There is no trial end date: use Arbiter free of charge until we release v1.0. Founding customers receive significant discounts at the transition to paid plans, with ample notice before any change. No automatic conversion until you activate a subscription yourself.

Start controlling network access in hours, not months

Free while Arbiter is in beta. No payment required, cancel any time.

Start trial Read the docsTalk to a human