NACIO is enterprise network access control (NAC) software that provides 802.1x RADIUS authentication, EAP-TLS certificate-based authentication, device profiling, endpoint compliance scanning, captive portal, and built-in PKI. It can be deployed self-hosted on your own infrastructure or as a cloud-hosted service.

Does NACIO support 802.1x and EAP-TLS?

Yes. NACIO includes a full-featured RADIUS server supporting EAP-TLS, PEAP-MSCHAPv2, EAP-TTLS, EAP-FAST, and CHAP. It also includes a built-in PKI and Certificate Authority to issue machine and user certificates for EAP-TLS without a third-party CA.

What identity providers does NACIO support?

NACIO supports Active Directory, Azure AD (Entra ID), Okta, Google Workspace, SAML 2.0, LDAP/LDAPS, RADIUS proxy, and a built-in local user database. Multiple identity sources can be mixed per authentication realm.

Can NACIO be self-hosted?

Yes. NACIO runs fully on your own infrastructure (on-premise or private cloud). A cloud-hosted option is also available for organisations that prefer a managed control plane with no on-site server.

Which network equipment does NACIO work with?

NACIO works with any RADIUS-capable network device. This includes Cisco Catalyst, Cisco Nexus, Juniper EX, HPE/Aruba, Arista, Ubiquiti UniFi, Meraki, Fortinet, Ruckus, MikroTik, and many more.

NACIO | Network Access Control Software — 802.1x RADIUS, NAC & Compliance

💸

Perpetual licensing — buy once per major version

NACIO is sold as a perpetual per-device license tied to a major version. Buy it once and run it forever — no annual subscription required to keep using what you paid for. Upgrades to the next major version are optional.

🔒

Deploy your way — on-premise or cloud

Run NACIO fully self-hosted on your own infrastructure, or use a NACIO cloud-hosted instance. Either way, remote agents connect back over encrypted tunnels — no exposed ports, no third-party auth traffic.

🧩

Complex deployments taking weeks?

Most NAC platforms require professional services to deploy. NACIO has a built-in setup wizard — from install to first authenticated device in minutes.

📦

One vendor for everything?

NACIO integrates with any RADIUS-capable switch, AP, or firewall. Active Directory, LDAP, Azure AD, SAML, Google — pick your identity source.

Core Capabilities

Everything a modern network
access control platform needs

NACIO ships as a complete, self-contained NAC solution. No separate RADIUS server. No separate portal server. No sprawl.

🔐

Full-Featured RADIUS Server

Built-in RADIUS with the complete EAP stack — EAP-TLS, PEAP-MSCHAPv2, EAP-TTLS, EAP-FAST, and CHAP. Handles wired 802.1x, wireless, and VPN simultaneously with per-realm policy routing and real-time auth logs.

🏛️

Agent-Based PKI & Certificate Authority

NACIO ships with a complete internal CA. Issue and manage machine certificates and user certificates directly from the console. Deploy via agent to Windows and macOS — fully automates EAP-TLS without any third-party PKI.

☁️

Azure AD, SAML & Identity Federation

Connect Active Directory, Azure AD, Okta, Google Workspace, Entra ID, SAML 2.0, LDAP, RADIUS proxy, and NACIO's local user DB. Mix identity sources per realm — use cert auth for corporate, SAML for BYOD, local for guests.

🖥️

Device Profiling & Fingerprinting

Automatically classify endpoints by OS, vendor, and device type using DHCP fingerprinting, HTTP user-agent, and network behaviour analysis. Profiling runs entirely on your own infrastructure — or leverage NACIO's cloud-assisted profiling service to cross-reference a continuously updated device signature database without sending any sensitive data off-site.

📋

Remote Agent — Self-Hosted or Cloud

The NACIO agent runs on Windows and macOS to verify patch level, antivirus, disk encryption, firewall status, and custom rules before granting access. Deploy in fully self-hosted mode — agents phone home to your on-premise NACIO server — or connect to a NACIO cloud-hosted instance for organisations that prefer a managed control plane with no on-site server to maintain.

🌐

Captive Portal

Fully customisable guest portals with sponsor approval, SMS/email verification, social login, and time-limited access. Works with any CAPWAP-compatible access point.

🗺️

Remote Probes via Secure Tunnels

Deploy lightweight probe agents at remote sites over encrypted secure tunnels — no VPN or open firewall ports required. Install directly from the NACIO console and the probe establishes an outbound encrypted connection back, extending full NAC enforcement to branch offices, remote sites, and air-gapped segments.

🏢

Multi-Organisation

Segment policies, portals, and endpoints by organisation. Ideal for MSPs managing multiple clients from a single NACIO deployment.

⚡

Policy Engine & Dynamic VLAN

Assign users and devices to VLANs, ACLs, and bandwidth policies based on identity, device type, compliance posture, time-of-day, and location.

📡

DHCP Server Integration

Built-in DHCP server with scope management and lease tracking, or integrate with your existing infrastructure. DHCP fingerprinting feeds directly into device profiling.

🔍

Network Discovery & Scanner

Active and passive network scanning to discover every device on your subnets — including those that never authenticate. NACIO maps IP ranges, resolves hostnames, fingerprints open ports and services, and flags rogue or unmanaged devices before they become a threat. Discovery results feed directly into the endpoint inventory and profiling engine.

📊

Real-Time Dashboard

Live view of authentication activity, endpoint health, compliance status, and network events. Drill down from any metric to the individual endpoint or user.

🔄

High Availability

Active-passive HA with automatic failover so authentication is never a single point of failure. State is continuously synchronised across nodes — sessions, leases, and endpoint records persist through a failover. Deploy two NACIO nodes behind a load balancer or use built-in heartbeat-based promotion with no manual intervention required.

Use Cases

Built for every network environment

🏢

Enterprise Campus

Full 802.1x wired and wireless enforcement with AD integration, dynamic VLAN assignment, and compliance gating for thousands of endpoints.

📱

BYOD Programmes

On-board personal devices through a self-service portal. Profile device type, verify ownership, apply appropriate access policies, and segment from corporate assets.

🏨

Hospitality & Venues

Branded captive portals with time-limited passes, PMS integration, and per-guest bandwidth controls for hotels, stadiums, and event spaces.

🏭

OT / IoT Environments

Profile and segment industrial and IoT devices. Enforce strict access control on devices that can't run traditional agents using MAC-based and DHCP fingerprinting policies.

🏥

Healthcare

Ensure medical devices, clinical workstations, and BYOD phones are all on the right VLAN with the right access — fully audited for compliance reporting.

🌐

Managed Service Providers

Manage multiple client organisations from a single NACIO console. Separate policies, portals, and reports per tenant with full isolation.

Capability	NACIO	Cisco ISE	Aruba ClearPass	Fortinet FortiNAC	Portnox Cloud
Self-hosted / on-premise	✓	✓	✓	✓	✗
Cloud-hosted option	✓	✗	✗	✗	✓
802.1x RADIUS	✓	✓	✓	✓	✓
Captive Portal	✓	✓	✓	✓	✓
Device Profiling	✓	✓	✓	✓	✓
Network Discovery & Scanner	✓	Limited	Limited	✓	✗
Compliance Scanning	✓	✓	✓	✓	✓
Built-in PKI / CA	✓	Add-on	Add-on	✗	✗
Perpetual license (no forced renewal)	✓	✗	✗	✗	✗
Multi-organisation (MSP)	✓	Complex	Limited	Limited	✓
Remote probes (secure tunnel install)	✓	ISE PSN nodes	✓	Collector VMs	✗
Built-in DHCP server	✓	✗	✗	✗	✗
Built-in High Availability	✓	Add-on license	Add-on license	Add-on license	✓
Setup wizard (mins to deploy)	✓	✗	✗	✗	✓
Vendor-neutral (any switch/AP)	✓	Cisco-preferred	Aruba-preferred	Fortinet-preferred	✓

Network Access Control,
Reinvented