Network access control has a poor reputation among managed service providers. The incumbent platforms were built for a single large enterprise with its own security team, not for a provider running twenty, fifty or two hundred customers from one console. Standing up Cisco ISE or Aruba ClearPass for a client means appliances or VMs to size, a project plan measured in weeks, certificate infrastructure to design and a specialist to keep it all running. None of that fits the economics of managed services, where the margin lives in repeatable onboarding and low per-customer overhead. So most MSPs either avoid NAC entirely or resell something they cannot operate at scale.
Arbiter was built the other way around. The starting assumption is that the operator is a provider managing many tenants, and that the work of bringing a new customer online has to be fast, repeatable and free of per-site infrastructure.
Fast NAC deployment for MSPs
The reason traditional NAC takes a quarter is rarely the policy work. It is the infrastructure. Servers to provision, a certificate authority to stand up, connectors to install, an Active Directory integration to negotiate. Arbiter removes that layer rather than automating it.
A typical deployment might involve provisioning the tenant in the morning, deploying the Edge appliance before lunch, integrating Intune during the afternoon and moving the first users to EAP-TLS before the end of the working day.
A new tenant is provisioned in the control plane in minutes. Each tenant gets its own isolated configuration and its own cloud PKI, so there is no shared root and no global certificate authority to design around. The customer site connects through an Edge appliance, deployed as an OVA, which establishes an outbound RadSec tunnel to the cloud. There are no inbound ports to open on the customer firewall and no plain UDP RADIUS exposed anywhere. Once the Edge is up, the customer's switches and access points point at it as their RADIUS server and authentication starts flowing.
For the device side, Arbiter issues certificates directly from each tenant's own cloud PKI, which it provides and manages. Intune-managed laptops auto-enrol without NDES, AD CS or any on-premises Windows server, so a fleet of corporate devices can be moved onto EAP-TLS without touching the customer's domain. Printers, IoT and anything that cannot run a supplicant are handled by MAC authentication with passive profiling, so you are not blocked waiting for every device to be certificate-ready before you switch the network on.
By the end of the day you have devices authenticating, unknown devices surfaced in the inventory, and a policy posture you can refine over the following week rather than a project that has to be finished before anything works.
Multi-tenant NAC management
The part that matters most to a provider is not any single feature. It is that the whole estate is operated from one place, on infrastructure that does not bleed between providers. Each MSP runs on its own dedicated instance with its own database, so there is no shared data plane with any other provider on the platform. Within that instance every customer is an isolated tenant, and every query is scoped to a single tenant, so one of your customers can never see another's data.
From that one console the operator works across all of their customers. Onboarding the second customer looks like the first. The hundredth looks like the second. That repeatability is the entire point, and it is what makes NAC a service you can sell with a predictable cost of delivery rather than a bespoke project you reprice every time.
Operators can move between customers without changing consoles, VPNing into customer infrastructure or managing separate NAC clusters for every client.
Enterprise NAC features on every tier
Across every access-control tier, Arbiter does not gate security. RadSec, the Edge appliance, EAP-TLS, bring-your-own-CA, MDM integration, the policy engine and the audit log are available on every access-control tier, including the trial. Tiers differ by endpoint count, not by how secure the platform is allowed to be.
For an MSP this is not a pricing detail, it is a delivery guarantee. Your smallest client gets the same encrypted transport and the same certificate-based authentication as your largest. You are never in the position of explaining to a customer that the secure option costs more, and you never have to track which feature is enabled for which account. Every tenant is fully capable from the first day.
Using NAC to support NIS2 requirements
For EU providers, NIS2 is turning into a sales motion rather than a compliance headache. The supply-chain provisions pull in thousands of SMEs who were never the directive's direct target, and many of them will look to their MSP to carry the technical load. Arbiter is not a compliance product and does not deliver NIS2 compliance on its own, but it supports the Article 21 access-control and asset-management objectives directly: a live register of every connected device, encrypted authentication, segmentation and an audit trail you can hand to a customer or an assessor. Each device carries the asset-register context an auditor asks for, owner, criticality and data classification, alongside the facts Arbiter discovered for itself. That gives a provider a concrete, defensible thing to put in front of a client who has just realised the directive applies to them.
For many SMEs, the first question from an assessor is simply "what is connected to your network?" Arbiter helps MSPs answer that question immediately with a continuously updated asset inventory.
Built in the EU, hosted in the EU
Arbiter is built in Ireland, hosted in the EU and GDPR native. For a provider serving European customers, that removes a recurring objection before it is raised: the platform is hosted and stores its data in the EU, with no US transfer mechanism for the data we hold. The platforms most MSPs would otherwise reach for are US-hosted, which turns every regulated customer conversation into a data-residency discussion. Here it starts from EU residency by default. See the trust centre for where data lives and how it is protected.
The shape of it
The pitch to an MSP is straightforward. NAC has been too slow and too heavy to deliver profitably at the small and mid-market end, which is exactly where the NIS2 demand is now appearing. Unlike Cisco ISE and Aruba ClearPass, Arbiter was designed from the outset as a multi-tenant cloud NAC platform: onboarding a customer is a day of repeatable work, not a quarter of bespoke engineering, with no infrastructure to run per site, full security on every access-control tier and EU residency as standard. See how Arbiter works, the For MSPs overview and the pricing. That is a service you can package, price and scale profitably across dozens or hundreds of customers.
Frequently asked questions
How quickly can an MSP deploy Arbiter?
A typical 200-seat customer can be onboarded in a single working day: tenant provisioned in the morning, Edge appliance deployed before lunch, Intune integrated in the afternoon and the first users on EAP-TLS by the end of the day.
Does Arbiter require on-premises NAC servers?
No. Arbiter uses a lightweight Edge appliance and a cloud-hosted control plane, with no NAC servers, certificate authority or RADIUS clusters to run per site.
Does Arbiter support EAP-TLS?
Yes. Every access-control tier supports EAP-TLS and tenant-specific PKI, including the trial. Intune-managed devices auto-enrol without NDES or AD CS.
Can Arbiter help with NIS2 requirements?
Arbiter supports asset inventory, authentication, segmentation and audit logging, which align with key NIS2 control objectives. It is not a compliance product and does not deliver NIS2 compliance on its own.