TL;DR. Most organisations do not start with network access control. They start with a visibility problem. Arbiter Asset Discovery gives you a continuously updated inventory of every device on your network, enriched with identity, operating system, vendor and MDM compliance signals. When you are ready, you can extend into full RADIUS-based access control.
Start with visibility, not enforcement
Network security projects often fail at the first step: understanding what is actually connected. Before you can enforce identity, policy or compliance, you need a reliable answer to a simple question: what devices exist on my network right now?
Arbiter Asset Discovery is designed to answer exactly that, without requiring a full NAC rollout. It gives immediate visibility into connected infrastructure, making it the natural starting point for organisations beginning their network security journey.
A continuously updated asset inventory
Asset Discovery turns raw network activity into a living inventory of every device on the network. It identifies and tracks endpoints by:
- Device category (laptop, phone, printer, IoT, infrastructure)
- Operating system
- Vendor
- Switch and physical port, read from the network fabric itself
- Hardware serial and model, for devices that advertise it
- Network behaviour and DHCP fingerprinting
- Active network presence and churn (new versus departing devices)
Each device is updated continuously as it appears, moves or disappears from the network. The result is a real-time view of the environment, not a static snapshot.
Every chart in the inventory drills in. Click any category, operating system, vendor, open port, discovery source or compliance segment and you get exactly those devices, filtered. And every fact on a device record is grouped by the source that asserted it (RADIUS, DHCP, the network scan, SNMP topology or Fingerbank), so the inventory is not just a list, it is a defensible record of how you know what you know.
Enriched with identity and compliance signals
Visibility becomes far more powerful when paired with identity and management context. When a device authenticates to the network with a certificate (Entra-joined, 802.1X), Asset Discovery layers on its management state:
- Intune MDM status
- Device compliance state
- Security posture indicators where available
The compliant-versus-non-compliant split is its own click-through breakdown, so you can jump straight from the chart to the devices that are failing policy.
That turns the inventory into a clear managed-versus-unmanaged picture: certificate-backed corporate devices carry their Intune compliance, and everything else stands out as unmanaged or unknown, exactly the endpoints worth a second look. None of this needs Arbiter in the enforcement path: the managed-versus-unmanaged picture is built by observation, which keeps Asset Discovery firmly a profiling tier. It gives you a complete asset inventory, clear compliance evidence for obligations such as NIS2 and a solid foundation for the move from visibility to control whenever you decide to make it.
Identify unknown and unmanaged devices
One of the most valuable outputs of Asset Discovery is simple: highlight what you do not recognise. Unknown devices are surfaced clearly within the inventory, so teams can:
- Investigate unmanaged infrastructure
- Detect rogue or shadow IT devices
- Identify infrastructure gaps
- Improve overall network hygiene
For many organisations, this alone provides immediate security and operational value.
Active scanning: optional nmap sweeps from the Edge
Passive observation sees a device only when it authenticates or asks for an address. A printer on a static IP that never does either stays invisible. Yet those silent devices (cameras, building controllers, lab gear, anything unmanaged) are often exactly what a security team most wants on the inventory.
Asset Discovery closes that gap with optional active discovery. The same on-premises Edge appliance that already carries your RADIUS and DHCP traffic can run scheduled nmap scans inside your network, on a cadence and address range you choose in the portal (for example a nightly or weekly sweep at a quiet hour). There are no extra collectors, probes or virtual machines to deploy, and nothing to install on the endpoints themselves.
It is off by default and deliberately constrained:
- Opt-in per tenant, configured entirely from the portal
- Private (RFC1918) address space only, with a /24 ceiling per range
- Out of band: a scheduled task on the Edge, never in the live authentication path
- One scan at a time, so a slow sweep can never overlap the next
Every scan feeds straight back into the same inventory. A device already known from authentication or DHCP has its record enriched with:
- Open ports and exposed services
- Operating system fingerprint, an optional probe that stays off by default, since OS detection can upset fragile IoT and OT devices
- Vendor, derived from the hardware (MAC OUI) address
A device the platform has never seen, the static-IP printer or the unmanaged controller, becomes a brand-new inventory entry tagged as scan-discovered. That is the whole point of active discovery: to surface what passive observation cannot.
Scans also stitch the picture together rather than fragment it. A device seen by authentication, by DHCP and by a scan is one inventory entry, not three. Findings are matched by hardware address where the scan can read one, and by IP address where it cannot (for instance a device on a routed subnet the Edge reaches through a gateway), so the open-ports and operating-system detail land on the endpoint your policy already knows instead of creating a duplicate.
Switch intelligence: agentless discovery over SNMP
Scanning sees one subnet at a time. Your switches already see everything. So beyond sweeping your subnets, Arbiter reads your switches directly, read-only, over SNMP. A single switch already knows every device on every VLAN it serves: its IP, its MAC and the exact port it is plugged into. One read-only poll inventories the whole fabric without touching a single endpoint.
This is broader and gentler than active scanning. It never probes the endpoints themselves, so it is safe for fragile IoT and OT gear, and it never writes to your network equipment.
From the switches, Arbiter learns:
- Cross-VLAN visibility from one vantage point. A scan only sees its own segment; reading a switch ARP table gives the IP-to-MAC mapping for every device across every VLAN.
- Switch-port location. The bridge forwarding (FDB) table maps each device to the exact switch and physical port it is plugged into, a cross-check on the RADIUS port and the detail an asset register needs: not just what a device is, but where it is.
- Hardware serial, model and firmware for IP phones and access points that advertise it over LLDP-MED, the detail an auditor asks for.
- Neighbour identity over CDP and LLDP, which fills the unknown-vendor and unknown-class gaps for phones, access points and switches.
Setup is mostly automatic. Arbiter already learns your switches and controllers from RADIUS, so it polls them for you with no target list to maintain:
- Known network devices are included automatically, on by default
- Multiple read-only community strings, and SNMPv3, for fleets that are not uniform
- Any switch still answering the default public community is flagged as a security finding
- A live activity log shows each scan and poll running in real time in the portal
Two honest caveats. Serial and model come from LLDP-MED where the switch exposes it, which is standards-based but vendor-inconsistent (solid on Cisco, uneven elsewhere), so treat it as a bonus on supported gear rather than a universal guarantee. The switch and port mapping from CDP and the forwarding table is available regardless. And like everything in Asset Discovery, this is visibility, not enforcement: SNMP discovery makes no access decision and never blocks a device.
Assembled passively from RADIUS, DHCP, nmap and SNMP, with no agent on a single endpoint, the result is a concrete asset register of your devices and network infrastructure: the kind of inventory NIS2 Article 21 asks you to keep.
The human layer: NIS2 fields you fill in by hand
Discovery answers what a device is, where it is plugged in and how it behaves. A NIS2 or ISO 27001 asset register also needs the context only a person can supply: who owns the device, how critical it is to the business and what function it serves. Arbiter keeps those fields on the device record itself, so the human context sits next to the discovered facts instead of in a separate spreadsheet that drifts out of date.
Each device carries a small set of inventory fields: owner, criticality, data classification, business function, site and free-text notes. Criticality rates how important the device is to the business; data classification rates how sensitive the information it handles is, on a Public, Internal, Confidential or Restricted scale. The two sit side by side, which is the heart of ISO 27001 A.5.12 and the NIS2 expectation to classify your information assets.
Several fields are pre-filled from what Arbiter already knows and can be corrected by hand: where the device is MDM managed, owner is taken from the Intune or Jamf UPN or email address, and where the endpoint is known from a RADIUS session, site is derived from the NAS it authenticated against. Every value records whether it was set by hand, derived from another source or applied by a rule, so the register shows not just its current state but how it was populated. A Mark reviewed action records that a person has checked the record and when, which is exactly the sort of evidence an auditor asks for.
Keeping the register current: auto-classification
Hand-entering fields across a few hundred devices is the kind of task that gets done once and then rots. So the register can classify endpoints for you. You write rules that set criticality or data classification from what Arbiter already knows: the device category, its MDM-managed state or membership of an endpoint group. Run a rule as a one-off pass to rate everything that matches right now, or save it as a standing rule that rates new and previously unrated devices as they appear.
The rules only ever fill a gap. A value set by hand is never overwritten by a rule, and because each field remembers how it was set (by hand, derived or applied by a rule), the register can answer the question an auditor actually asks: not just what the classification is today, but whether the register is maintained and how each value got there.
Two practical touches. Groups can be marked out of scope (your Guest group, for example) so the register reflects managed assets rather than transient visitor devices. And the register exports per device, not just as roll-ups: a row per endpoint with owner, site, criticality, data classification and last-reviewed date, as CSV or JSON, which is the row-level evidence an assessor expects to be handed.
Once those fields are populated they roll up across the fleet. The Asset Inventory page breaks the estate down by criticality and by site, so you can see at a glance how much of the register is filled in and where the gaps still are. See it live in the demo.
From visibility to control, when you are ready
Asset Discovery is intentionally designed as the entry point into the Arbiter platform. When you are ready to move beyond visibility, you can upgrade seamlessly into full network access control:
- 802.1X authentication
- RADIUS-based enforcement
- Certificate-based identity (EAP-TLS)
- Policy-based network access control
- Segmentation and compliance enforcement
Start with visibility. Move to verification. Then enforce control.
Why this matters
Most network security tooling starts too far ahead of customer maturity. Arbiter Asset Discovery meets organisations where they are:
- No enforcement required
- No disruptive deployment
- No dependency on endpoint agents
- Immediate value from day one
It gives you the foundation for compliance, security visibility and future NAC adoption.
Closing thought
You cannot secure what you cannot see. Arbiter Asset Discovery gives organisations that visibility first and a clear path to full network access control when they are ready.