Turn NAC into a managed security service
Offer enterprise-grade network access control to your customers without building and maintaining the underlying NAC platform. Arbiter gives MSPs a multi-tenant cloud NAC platform with isolated customer environments, central management and predictable recurring revenue.
Add a recurring security service, not an infrastructure project
Everything you need to deliver managed NAC across a portfolio of customers, with none of the platform to run yourself.
Your customers do not share infrastructure with other MSPs
Most cloud platforms are multi-tenant, and MSPs are right to ask what that means if another provider's environment is ever compromised.
With Arbiter, each partner operates on dedicated infrastructure with isolated customer data, policies and certificates. Nothing your customers depend on is shared with another MSP, so you can give them a clean, defensible answer rather than a multi-tenant promise.
What an MSP partnership looks like
Every MSP receives a dedicated Arbiter environment that hosts their customers. Customer policies, certificates and authentication data stay isolated from other partners, giving you a clean security and compliance story to take to your customers.
How partner pricing works
An MSP partnership starts with a partner block that supports up to 50 customer environments, with more blocks added as your portfolio grows. You purchase total endpoint capacity and allocate it across customers at your discretion: one could carry several thousand endpoints, another a handful, with the ability to rebalance at any time as your portfolio evolves.
Every tier carries the same feature set. There is no feature gating at Arbiter, no advanced licence and no add-ons to bolt on later. Tier selection per tenant is purely a function of endpoint count, so you size each customer to fit their estate without losing any capability.
Tenant tiers within a block
- Trial: short evaluation tenants, no production SLA.
- Essential: up to 100 endpoints.
- Professional: up to 500 endpoints.
- Enterprise: up to 1,500 endpoints.
Same guest portal, same MDM integrations, same policy engine, same SIEM forwarding, same retention controls across all of them. The only thing that changes between tiers is how many endpoints the tenant can authenticate.
Channel partner pricing is discounted from the public per-tenant rates with volume terms for larger block commitments. Add a second block when you outgrow the first, with no tenant migration required for existing customers. Specifics are agreed during partner onboarding based on your expected portfolio shape.
Built to scale with your customer base
The detail behind the model: published capacity figures backed by public stress and soak testing. Every figure below maps to an Arbiter dev-log with methodology and test data available for review.
Per-block capacity
A standard partner block supports up to 50 customer environments, with additional blocks added as your managed NAC portfolio grows. Each block runs on dedicated infrastructure:
- One core VM
- Two listener VMs
- Dedicated load balancing
- Per-tenant PKI and policy isolation
Validated aggregate block capacity:
- 10,000 RADIUS authentications per minute sustained across all tenants
- 2,000 mixed EAP-TLS and MAB authentications per minute across real European WAN paths
- Up to 10,000 authentications per minute for an individual tenant (validated independently, not concurrently across all fifty)
- Approximately 420 EAP-TLS handshakes per minute per tenant on the crypto-heavy path
Validation included:
- Single-tenant ceiling testing
- Four-hour multi-tenant soak testing
- Multi-region WAN authentication testing
- 2.7 million total authentication events processed
Authentication performance
Under sustained peak load:
- End-to-end p99 authentication latency remained below two seconds
- Typical steady-state p99 latency measured between 1.1 and 1.4 seconds
- Internal queue utilisation remained below 2% of configured ceilings
- No authentication-path drops or queue overflow observed during soak testing
Approximately one second of reject latency comes from FreeRADIUS defensive delay behaviour applied to failed authentications industry-wide. Arbiter processing time itself measures in low milliseconds.
Tenant isolation and correctness
Across 2.7 million authentication events:
- 100% policy-decision accuracy
- No observed cross-tenant policy or certificate contamination
- 99.997% EAP-TLS reject reliability
Each tenant operates with:
- Dedicated FreeRADIUS virtual servers
- Independent certificate trust chains
- Isolated policy evaluation
- Isolated audit logging
Real-world MSP sizing
Arbiter is designed for SME environments rather than large enterprise campus estates. Typical peak authentication rates observed in SME environments are substantially below tested platform ceilings:
| Environment | Approximate peak auth rate |
|---|---|
| 50-endpoint office | ~25 auth/min |
| 250-endpoint SME | ~80 auth/min |
| 500-endpoint SME | ~150 auth/min |
| 2,000-endpoint estate | ~500 auth/min |
A full partner block populated with typical SME customers operates with substantial headroom against the tested 10,000-authentication-per-minute ceiling. As your portfolio grows you scale horizontally by adding more blocks, with no tenant migration or architectural change required.
Per-tenant protection
Each tenant operates under independent rate limiting set relative to contracted endpoint count. A misconfigured supplicant, authentication loop or flapping NAS at one customer cannot consume shared listener capacity or impact co-tenants on the same block. Isolation is enforced technically rather than operationally.
Current validation roadmap
The following scenarios are currently undergoing validation testing:
- Eight-hour sustained EAP-TLS endurance testing
- Higher EAP-TLS concurrency scenarios
- FreeRADIUS restart under load
- Database failover testing
- Edge-to-cloud network partition testing
- Formal uptime SLA validation
Source dev-logs: round one, round two, round three. Figures update as new rounds publish.
Interested?
Partner onboarding is by introduction. Tell us about your portfolio, the customer sizes you serve and any regulatory requirements you need to meet.
support@arbiter.ie