For MSPs and MSSPs

Turn NAC into a managed security service

Offer enterprise-grade network access control to your customers without building and maintaining the underlying NAC platform. Arbiter gives MSPs a multi-tenant cloud NAC platform with isolated customer environments, central management and predictable recurring revenue.

Built for MSP operations

Add a recurring security service, not an infrastructure project

Everything you need to deliver managed NAC across a portfolio of customers, with none of the platform to run yourself.

One portal to manage every customer
Dedicated infrastructure per partner
Customer isolation by design
Predictable, capacity-based pricing
No NAC servers, PKI infrastructure or RADIUS clusters to maintain
Security isolation you can sell

Your customers do not share infrastructure with other MSPs

Most cloud platforms are multi-tenant, and MSPs are right to ask what that means if another provider's environment is ever compromised.

With Arbiter, each partner operates on dedicated infrastructure with isolated customer data, policies and certificates. Nothing your customers depend on is shared with another MSP, so you can give them a clean, defensible answer rather than a multi-tenant promise.

What an MSP partnership looks like

Every MSP receives a dedicated Arbiter environment that hosts their customers. Customer policies, certificates and authentication data stay isolated from other partners, giving you a clean security and compliance story to take to your customers.

Your own partner portal
Sign in at your-shortname.arbiter.ie with your team’s identity provider. See every customer tenant you manage in one list, drill into any tenant for full policy and authentication visibility, branded as Arbiter or co-branded by arrangement.
Dedicated database
Your customers’ policies, endpoints, authentication logs and per-tenant PKI live in a database that no other MSP touches. Per-block backups and per-block restore drills. A clean data story for any customer who asks where their information sits.
Two RADIUS listeners, active/active
Every block ships with redundant listeners behind a load balancer. One listener can fail or take a maintenance window and the other continues serving every customer with no perceptible delay. Sub-15 second failover, no manual action required.
Predictable, isolated capacity
One block is sized for tens of thousands of authentications per minute across many customers concurrently, with comfortable failover headroom. Issues at another MSP’s block cannot affect yours. The blast radius for any operational event is bounded to one block.

How partner pricing works

An MSP partnership starts with a partner block that supports up to 50 customer environments, with more blocks added as your portfolio grows. You purchase total endpoint capacity and allocate it across customers at your discretion: one could carry several thousand endpoints, another a handful, with the ability to rebalance at any time as your portfolio evolves.

Every tier carries the same feature set. There is no feature gating at Arbiter, no advanced licence and no add-ons to bolt on later. Tier selection per tenant is purely a function of endpoint count, so you size each customer to fit their estate without losing any capability.

Tenant tiers within a block

  • Trial: short evaluation tenants, no production SLA.
  • Essential: up to 100 endpoints.
  • Professional: up to 500 endpoints.
  • Enterprise: up to 1,500 endpoints.

Same guest portal, same MDM integrations, same policy engine, same SIEM forwarding, same retention controls across all of them. The only thing that changes between tiers is how many endpoints the tenant can authenticate.

Channel partner pricing is discounted from the public per-tenant rates with volume terms for larger block commitments. Add a second block when you outgrow the first, with no tenant migration required for existing customers. Specifics are agreed during partner onboarding based on your expected portfolio shape.

Built to scale with your customer base

The detail behind the model: published capacity figures backed by public stress and soak testing. Every figure below maps to an Arbiter dev-log with methodology and test data available for review.

Per-block capacity

A standard partner block supports up to 50 customer environments, with additional blocks added as your managed NAC portfolio grows. Each block runs on dedicated infrastructure:

  • One core VM
  • Two listener VMs
  • Dedicated load balancing
  • Per-tenant PKI and policy isolation
Customer tenantsTenant 1 (per-tenant PKI)Tenant 2 (per-tenant PKI)...up to 50 tenants...Tenant 50 (per-tenant PKI)RadSecArbiter MSP block (dedicated infra)Load balancerdedicatedListener VM AFreeRADIUSListener VM BFreeRADIUSCore VMPostgreSQL · API
Per-block topology. Add a second block for horizontal scale; no tenant migration or architecture change required.

Validated aggregate block capacity:

  • 10,000 RADIUS authentications per minute sustained across all tenants
  • 2,000 mixed EAP-TLS and MAB authentications per minute across real European WAN paths
  • Up to 10,000 authentications per minute for an individual tenant (validated independently, not concurrently across all fifty)
  • Approximately 420 EAP-TLS handshakes per minute per tenant on the crypto-heavy path

Validation included:

  • Single-tenant ceiling testing
  • Four-hour multi-tenant soak testing
  • Multi-region WAN authentication testing
  • 2.7 million total authentication events processed

Authentication performance

Under sustained peak load:

  • End-to-end p99 authentication latency remained below two seconds
  • Typical steady-state p99 latency measured between 1.1 and 1.4 seconds
  • Internal queue utilisation remained below 2% of configured ceilings
  • No authentication-path drops or queue overflow observed during soak testing

Approximately one second of reject latency comes from FreeRADIUS defensive delay behaviour applied to failed authentications industry-wide. Arbiter processing time itself measures in low milliseconds.

Tenant isolation and correctness

Across 2.7 million authentication events:

  • 100% policy-decision accuracy
  • No observed cross-tenant policy or certificate contamination
  • 99.997% EAP-TLS reject reliability

Each tenant operates with:

  • Dedicated FreeRADIUS virtual servers
  • Independent certificate trust chains
  • Isolated policy evaluation
  • Isolated audit logging

Real-world MSP sizing

Arbiter is designed for SME environments rather than large enterprise campus estates. Typical peak authentication rates observed in SME environments are substantially below tested platform ceilings:

EnvironmentApproximate peak auth rate
50-endpoint office~25 auth/min
250-endpoint SME~80 auth/min
500-endpoint SME~150 auth/min
2,000-endpoint estate~500 auth/min

A full partner block populated with typical SME customers operates with substantial headroom against the tested 10,000-authentication-per-minute ceiling. As your portfolio grows you scale horizontally by adding more blocks, with no tenant migration or architectural change required.

Per-tenant protection

Each tenant operates under independent rate limiting set relative to contracted endpoint count. A misconfigured supplicant, authentication loop or flapping NAS at one customer cannot consume shared listener capacity or impact co-tenants on the same block. Isolation is enforced technically rather than operationally.

Current validation roadmap

The following scenarios are currently undergoing validation testing:

  • Eight-hour sustained EAP-TLS endurance testing
  • Higher EAP-TLS concurrency scenarios
  • FreeRADIUS restart under load
  • Database failover testing
  • Edge-to-cloud network partition testing
  • Formal uptime SLA validation

Source dev-logs: round one, round two, round three. Figures update as new rounds publish.

Interested?

Partner onboarding is by introduction. Tell us about your portfolio, the customer sizes you serve and any regulatory requirements you need to meet.

support@arbiter.ie