Why Arbiter

Arbiter is cloud-hosted network access control for SMEs and the MSPs that support them: standards-based RADIUS, EAP-TLS authentication, identity-aware policy and audit-ready evidence, operated as a managed service and encrypted in transit over RadSec. Enterprise-grade control without the enterprise complexity or cost.

Back to homepageStart free trial
Why now

Enterprise NAC is becoming a requirement, not a nice-to-have

For many organisations, proving what connects to the network is moving from a best practice to an expectation. Regulation, cyber insurance requirements and customer supply-chain demands are pushing SMEs to adopt stronger access controls and better visibility.

Regulation is raising the bar

Directives such as NIS2 and DORA are increasing cybersecurity obligations across Europe, including requirements around access control, authentication, risk management and auditability. For many organisations, this means being able to demonstrate who and what is connecting to their network.

Supply chains are creating indirect pressure

Even organisations outside regulated sectors are feeling the impact. Large enterprises increasingly require suppliers to demonstrate stronger security controls, including device-level access control, certificate-based authentication and audit-ready evidence.

Cybersecurity is becoming a commercial requirement, not just a compliance exercise.

The challenge for SMEs

The security controls expected by regulators and customers have traditionally required expensive platforms, specialist skills and complex deployments.

Arbiter closes the gap by providing enterprise-grade network access control delivered as a cloud platform, designed for SMEs and the MSSPs that support them.

Read the full market and regulatory picture

No advanced licence

One tier. Every feature. No surcharges.

There is no feature gating, no advanced licence and no add-ons to bolt on later. The only variable on your bill is how many endpoints you authenticate. Everything below is in the box on day one of your trial, on every tenant, on every tier.

Guest WiFi captive portalMDM IntegrationsPolicy enginePolicy SimulatorDevice profilingRADIUS InsightsRadSec via Arbiter EdgeArbiter PKI + BYO CACustom access profilesSIEM egress
The case for Arbiter

Why choose Arbiter

The question isn't which features a NAC platform includes. It is why adopt one now, and why choose a different approach.

Traditional approachThe Arbiter approachBusiness impact
Enterprise NAC deployments requiring specialist consultants, appliances and months of implementationCloud-hosted NAC with a lightweight Edge connector and no on-site NAC infrastructureDeploy in days, not months, without expensive consulting projects
Self-hosted RADIUS and PKI infrastructure that requires ongoing maintenance, upgrades and availability planningRedundant cloud authentication services with local resilience at the edgeReduce operational overhead and remove single points of failure
Basic network controls with limited visibility into connected devicesAutomated device discovery, profiling and policy enforcementGain the visibility and access-control evidence expected by insurers, auditors and customers
Total cost of ownership

The real cost over three years

A fixed subscription can look like a premium next to free, until you price in the servers, the implementation and the engineering hours the alternatives quietly carry.

Legacy enterprise NAC€45,000+
Licensing, dedicated VMs, implementation and retainer fees
Self-hosted RADIUS€18,000+
Internal engineering hours and server infrastructure
Arbiter Cloud NAC€5,364
Transparent fixed subscription, zero hardware to maintain

Illustrative. The legacy and self-hosted figures are estimates based on typical licensing, dedicated VMs, implementation and internal engineering time. Arbiter is the Essential tier at €149/month over 36 months. Your figures will vary.

Architecture

How it fits together

RADIUS authentication and DHCP discovery reach the Arbiter cloud through the on-premises Edge appliance, encrypted in transit over RadSec and isolated per tenant. Policy decisions return as RFC 2865 attributes for VLAN and ACL assignment.

Customer network
  • RADIUS-capable NAS (switch or WLC)
  • Arbiter Edge appliance (RadSec tunnel)
  • DHCP relay agent
  • Managed and headless endpoints
Arbiter cloud
  • Per-tenant RadSec endpoint (TCP 2083)
  • EAP-TLS handshake with Arbiter PKI
  • DHCP fingerprint correlation
  • Policy engine with default-deny
  • Per-session RADIUS accounting
Outcomes
  • VLAN and ACL assignment
  • Per-session audit records
  • Tenant dashboard visibility
  • Public probe-driven status page
Operational resilience

High availability is built in, not an add-on

Network access control sits in the path of every connection. If authentication fails, users and devices can be locked out. Arbiter is designed to keep access decisions running, even during connectivity failures.

Automatic offline operation

  • WAN outage? Local authentication continues.
  • Cloud connection restored? Events sync automatically.
  • No gaps in your audit trail.

Every Arbiter deployment includes automated resilience: continue authenticating during extended outages with local resilience at the edge, backed by up to 30 days of cached decisions.

How Arbiter handles failures

Site WAN outage. If a site loses internet connectivity, the Edge continues authenticating devices locally using cached decisions and local certificate validation. New, unknown devices remain blocked until cloud connectivity returns.

Edge connectivity failure. Each site can run an Edge pair. If one Edge loses its cloud connection, authentication is automatically forwarded through the healthy peer over the LAN.

Cloud service failure. Customer environments run on redundant authentication infrastructure with automatic failover and no manual intervention.

The engineering behind the offline path, including why a naive cache replay is unsafe and how the Edge runs real handshakes instead, is in the dev-log: Don't break the chain .

Performance and scale

Measured, not claimed

Published capacity figures backed by public stress and soak testing.

Validated platform capacity

  • 10,000 RADIUS authentications per minute sustained across a block
  • Sub-two-second p99 authentication latency under peak load
  • 2.7 million authentication events processed during multi-tenant testing
  • 100% policy-decision accuracy across validation testing

Full methodology, charts and test data are in the dev-log: round one, round two, round three. MSP-specific capacity sizing for a dedicated block is on the For MSPs page.

Authentication methods

Supported today and on the roadmap

MethodStatusTypical use
EAP-TLSShippingManaged devices, certificate-based, phishing-resistant
MABShippingHeadless IoT (printers, IP phones, BMS, conferencing equipment)
EAP-TTLSRoadmapInner password auth (PAP/MSCHAPv2) inside an outer TLS tunnel
RadSec (TLS 1.3)ShippingAll cloud-bound RADIUS encrypted in transit, tunnelled via the on-premises Arbiter Edge appliance
Per-tenant Root CAShippingTenant-isolated CA, ECDSA P-256 leaf certs, no fragmentation tail
BYO CAShippingBring your own root, Arbiter trusts your existing chain
Two-tier policyShippingTier 1 auth policy (who) then Tier 2 access policy (what VLAN/ACL)
Monitor modeShippingLog-only enforcement: see what would happen before flipping live
Recommendation engineShippingObserves auth and DHCP traffic, proposes rules to accept or edit
Device profilingShippingVendor, OS and device class derived from RADIUS and relayed DHCP
Audit logShippingPer-session RADIUS records with the policy that matched
RADIUS InsightsShippingDashboard view: pass/fail rate, busiest periods, top reject reasons
Live status pageShippingPublic uptime and p50/p95/p99 latency, 90-day history
Intune integrationShippingRead managed-device posture into policy decisions
CoA / Disconnect (RFC 5176)ShippingLive session control from the cloud via Arbiter Edge
Tenant users + RBACShippingPasswordless email-OTP login, read-only or read-write role
Policy export (JSON / CSV)ShippingVersioned, round-trippable export of full tenant config
Guest WiFi captive portalShippingBranded splash page, T&C acceptance, voucher / SMS guest auth
JSON export via APIRoadmapProgrammatic pull of audit log and endpoints for SIEM ingestion
WebAuthn / passkeysRoadmapPhishing-resistant tenant portal sign-in, second factor on writes
Federated SSO (Entra / Google)RoadmapOIDC / SAML for tenant portal sign-in via customer IdP
SCIM 2.0RoadmapProvision tenant users from your IdP automatically
Deployment

From sign-up to enforcement

Eight steps. No endpoint agents, no consultants, no weekend cutover.

  1. 01Sign up for a tier and receive tenant credentials (RADIUS shared secret, Edge activation token, Intermediate CA bundle).
  2. 02Deploy the Arbiter Edge appliance on your network. It ships as a tiny VM image; activate it with the one-time token from the dashboard.
  3. 03Configure your NAS (switch or WLC) to point its RADIUS auth and accounting at the Edge appliance. Edge tunnels every exchange to the Arbiter cloud over RadSec.
  4. 04Optional: configure your DHCP relay agent to forward discovery events to Arbiter for device profiling.
  5. 05Deploy in monitor mode. Arbiter logs every authentication and the policy that would have matched, without denying any device.
  6. 06Review the recommendation engine output. Accept, edit or dismiss proposed rules, or write your own against identity, certificate, MAC, OUI or device profile.
  7. 07Flip to enforcement mode when monitor-mode logs show what you expect. VLAN and ACL assignments take effect on the next authentication.
  8. 08RADIUS accounting and policy-decision records flow continuously to the tenant dashboard. JSON export via API is on the roadmap.
Standards and compliance

Built on open standards

Protocols
  • RFC 2865: RADIUS authentication
  • RFC 2866: RADIUS accounting
  • RFC 6614: RadSec (RADIUS over TLS)
  • IEEE 802.1X: port-based access control
  • EAP-TLS: certificate-based authentication
  • MAB: MAC authentication bypass
Compliance posture
  • EU data residency, built and operated in Ireland
  • GDPR native, not retrofitted
  • Aligned with NIS2 Article 21 control objectives
  • Aligned with DORA Articles 6 to 11 control objectives
  • SOC 2 Type II in progress

For the regulatory context that drives these requirements, see the market and regulatory picture.

Pricing

Three tiers, monthly billing

TierEndpointsPrice
Essential100€149 / month
Professional (most popular)500€399 / month
Enterprise1,500€999 / month

Enterprise stacks uplift blocks beyond 1,500 endpoints: +€199 per 500 endpoints (€0.40 per endpoint), +€349 per 1,000 endpoints (€0.35 per endpoint), +€699 per 2,500 endpoints (€0.28 per endpoint). MSP partner pricing available on request.

Every tier includes the full product. There is no advanced-licence tier and no per-feature surcharges. Endpoint count is the only variable.

Map your network before you enforce

Activate a monitor-mode account: Arbiter profiles every device and shows exactly what your policies would do, without blocking anything. Flip to enforcement only when the evidence is in front of you.

Activate a monitor account Talk to a human

Free while Arbiter is in beta. No payment, no sales call.