Why Arbiter
Arbiter is cloud-hosted network access control for SMEs and the MSPs that support them: standards-based RADIUS, EAP-TLS authentication, identity-aware policy and audit-ready evidence, operated as a managed service and encrypted in transit over RadSec. Enterprise-grade control without the enterprise complexity or cost.
Enterprise NAC is becoming a requirement, not a nice-to-have
For many organisations, proving what connects to the network is moving from a best practice to an expectation. Regulation, cyber insurance requirements and customer supply-chain demands are pushing SMEs to adopt stronger access controls and better visibility.
Regulation is raising the bar
Directives such as NIS2 and DORA are increasing cybersecurity obligations across Europe, including requirements around access control, authentication, risk management and auditability. For many organisations, this means being able to demonstrate who and what is connecting to their network.
Supply chains are creating indirect pressure
Even organisations outside regulated sectors are feeling the impact. Large enterprises increasingly require suppliers to demonstrate stronger security controls, including device-level access control, certificate-based authentication and audit-ready evidence.
Cybersecurity is becoming a commercial requirement, not just a compliance exercise.
The challenge for SMEs
The security controls expected by regulators and customers have traditionally required expensive platforms, specialist skills and complex deployments.
Arbiter closes the gap by providing enterprise-grade network access control delivered as a cloud platform, designed for SMEs and the MSSPs that support them.
One tier. Every feature. No surcharges.
There is no feature gating, no advanced licence and no add-ons to bolt on later. The only variable on your bill is how many endpoints you authenticate. Everything below is in the box on day one of your trial, on every tenant, on every tier.
Why choose Arbiter
The question isn't which features a NAC platform includes. It is why adopt one now, and why choose a different approach.
| Traditional approach | The Arbiter approach | Business impact |
|---|---|---|
| Enterprise NAC deployments requiring specialist consultants, appliances and months of implementation | Cloud-hosted NAC with a lightweight Edge connector and no on-site NAC infrastructure | Deploy in days, not months, without expensive consulting projects |
| Self-hosted RADIUS and PKI infrastructure that requires ongoing maintenance, upgrades and availability planning | Redundant cloud authentication services with local resilience at the edge | Reduce operational overhead and remove single points of failure |
| Basic network controls with limited visibility into connected devices | Automated device discovery, profiling and policy enforcement | Gain the visibility and access-control evidence expected by insurers, auditors and customers |
The real cost over three years
A fixed subscription can look like a premium next to free, until you price in the servers, the implementation and the engineering hours the alternatives quietly carry.
Illustrative. The legacy and self-hosted figures are estimates based on typical licensing, dedicated VMs, implementation and internal engineering time. Arbiter is the Essential tier at €149/month over 36 months. Your figures will vary.
How it fits together
RADIUS authentication and DHCP discovery reach the Arbiter cloud through the on-premises Edge appliance, encrypted in transit over RadSec and isolated per tenant. Policy decisions return as RFC 2865 attributes for VLAN and ACL assignment.
- RADIUS-capable NAS (switch or WLC)
- Arbiter Edge appliance (RadSec tunnel)
- DHCP relay agent
- Managed and headless endpoints
- Per-tenant RadSec endpoint (TCP 2083)
- EAP-TLS handshake with Arbiter PKI
- DHCP fingerprint correlation
- Policy engine with default-deny
- Per-session RADIUS accounting
- VLAN and ACL assignment
- Per-session audit records
- Tenant dashboard visibility
- Public probe-driven status page
High availability is built in, not an add-on
Network access control sits in the path of every connection. If authentication fails, users and devices can be locked out. Arbiter is designed to keep access decisions running, even during connectivity failures.
Automatic offline operation
- WAN outage? Local authentication continues.
- Cloud connection restored? Events sync automatically.
- No gaps in your audit trail.
Every Arbiter deployment includes automated resilience: continue authenticating during extended outages with local resilience at the edge, backed by up to 30 days of cached decisions.
How Arbiter handles failures
Site WAN outage. If a site loses internet connectivity, the Edge continues authenticating devices locally using cached decisions and local certificate validation. New, unknown devices remain blocked until cloud connectivity returns.
Edge connectivity failure. Each site can run an Edge pair. If one Edge loses its cloud connection, authentication is automatically forwarded through the healthy peer over the LAN.
Cloud service failure. Customer environments run on redundant authentication infrastructure with automatic failover and no manual intervention.
The engineering behind the offline path, including why a naive cache replay is unsafe and how the Edge runs real handshakes instead, is in the dev-log: Don't break the chain .
Measured, not claimed
Published capacity figures backed by public stress and soak testing.
Validated platform capacity
- 10,000 RADIUS authentications per minute sustained across a block
- Sub-two-second p99 authentication latency under peak load
- 2.7 million authentication events processed during multi-tenant testing
- 100% policy-decision accuracy across validation testing
Full methodology, charts and test data are in the dev-log: round one, round two, round three. MSP-specific capacity sizing for a dedicated block is on the For MSPs page.
Supported today and on the roadmap
| Method | Status | Typical use |
|---|---|---|
| EAP-TLS | Shipping | Managed devices, certificate-based, phishing-resistant |
| MAB | Shipping | Headless IoT (printers, IP phones, BMS, conferencing equipment) |
| EAP-TTLS | Roadmap | Inner password auth (PAP/MSCHAPv2) inside an outer TLS tunnel |
| RadSec (TLS 1.3) | Shipping | All cloud-bound RADIUS encrypted in transit, tunnelled via the on-premises Arbiter Edge appliance |
| Per-tenant Root CA | Shipping | Tenant-isolated CA, ECDSA P-256 leaf certs, no fragmentation tail |
| BYO CA | Shipping | Bring your own root, Arbiter trusts your existing chain |
| Two-tier policy | Shipping | Tier 1 auth policy (who) then Tier 2 access policy (what VLAN/ACL) |
| Monitor mode | Shipping | Log-only enforcement: see what would happen before flipping live |
| Recommendation engine | Shipping | Observes auth and DHCP traffic, proposes rules to accept or edit |
| Device profiling | Shipping | Vendor, OS and device class derived from RADIUS and relayed DHCP |
| Audit log | Shipping | Per-session RADIUS records with the policy that matched |
| RADIUS Insights | Shipping | Dashboard view: pass/fail rate, busiest periods, top reject reasons |
| Live status page | Shipping | Public uptime and p50/p95/p99 latency, 90-day history |
| Intune integration | Shipping | Read managed-device posture into policy decisions |
| CoA / Disconnect (RFC 5176) | Shipping | Live session control from the cloud via Arbiter Edge |
| Tenant users + RBAC | Shipping | Passwordless email-OTP login, read-only or read-write role |
| Policy export (JSON / CSV) | Shipping | Versioned, round-trippable export of full tenant config |
| Guest WiFi captive portal | Shipping | Branded splash page, T&C acceptance, voucher / SMS guest auth |
| JSON export via API | Roadmap | Programmatic pull of audit log and endpoints for SIEM ingestion |
| WebAuthn / passkeys | Roadmap | Phishing-resistant tenant portal sign-in, second factor on writes |
| Federated SSO (Entra / Google) | Roadmap | OIDC / SAML for tenant portal sign-in via customer IdP |
| SCIM 2.0 | Roadmap | Provision tenant users from your IdP automatically |
From sign-up to enforcement
Eight steps. No endpoint agents, no consultants, no weekend cutover.
- 01Sign up for a tier and receive tenant credentials (RADIUS shared secret, Edge activation token, Intermediate CA bundle).
- 02Deploy the Arbiter Edge appliance on your network. It ships as a tiny VM image; activate it with the one-time token from the dashboard.
- 03Configure your NAS (switch or WLC) to point its RADIUS auth and accounting at the Edge appliance. Edge tunnels every exchange to the Arbiter cloud over RadSec.
- 04Optional: configure your DHCP relay agent to forward discovery events to Arbiter for device profiling.
- 05Deploy in monitor mode. Arbiter logs every authentication and the policy that would have matched, without denying any device.
- 06Review the recommendation engine output. Accept, edit or dismiss proposed rules, or write your own against identity, certificate, MAC, OUI or device profile.
- 07Flip to enforcement mode when monitor-mode logs show what you expect. VLAN and ACL assignments take effect on the next authentication.
- 08RADIUS accounting and policy-decision records flow continuously to the tenant dashboard. JSON export via API is on the roadmap.
Built on open standards
- RFC 2865: RADIUS authentication
- RFC 2866: RADIUS accounting
- RFC 6614: RadSec (RADIUS over TLS)
- IEEE 802.1X: port-based access control
- EAP-TLS: certificate-based authentication
- MAB: MAC authentication bypass
- EU data residency, built and operated in Ireland
- GDPR native, not retrofitted
- Aligned with NIS2 Article 21 control objectives
- Aligned with DORA Articles 6 to 11 control objectives
- SOC 2 Type II in progress
For the regulatory context that drives these requirements, see the market and regulatory picture.
Three tiers, monthly billing
| Tier | Endpoints | Price |
|---|---|---|
| Essential | 100 | €149 / month |
| Professional (most popular) | 500 | €399 / month |
| Enterprise | 1,500 | €999 / month |
Enterprise stacks uplift blocks beyond 1,500 endpoints: +€199 per 500 endpoints (€0.40 per endpoint), +€349 per 1,000 endpoints (€0.35 per endpoint), +€699 per 2,500 endpoints (€0.28 per endpoint). MSP partner pricing available on request.
Every tier includes the full product. There is no advanced-licence tier and no per-feature surcharges. Endpoint count is the only variable.
Map your network before you enforce
Activate a monitor-mode account: Arbiter profiles every device and shows exactly what your policies would do, without blocking anything. Flip to enforcement only when the evidence is in front of you.
Free while Arbiter is in beta. No payment, no sales call.