← Back to Home
// Technical Architecture

PortGuardNAC v1.1.0
Architecture

Three-plane separation, mTLS 1.3, Redis event bus — native Ubuntu, no containers.

// 01 — Three Planes

Architecture overview

Each plane is a dedicated systemd service with its own user, isolated privileges, and a single well-defined responsibility.

Browser / Admin UI nginx — Reverse Proxy / TLS Termination Routes to Management Plane · Data Plane · Static Assets MANAGEMENT PLANE Policy & Configuration Python · FastAPI · SQLite JWT Authentication · RBAC Entra ID SAML SSO Isolated system user CONTROL PLANE Auth Decisions Go · FreeRADIUS RADIUS Policy Engine Dynamic VLAN · CoA Elevated privileges DATA PLANE Telemetry & Push Go + Python WebSocket · Prometheus Redis Stream Consumer Isolated system user mTLS 1.3 Redis Event Bus — Internal only
Management Plane

Policy & Config

Python · FastAPI · SQLite
  • REST API for all configuration
  • JWT authentication + RBAC
  • Entra ID SAML SSO
  • License enforcement
  • SHA-256 audit chain
Control Plane

Auth Decisions

Go · FreeRADIUS
  • RADIUS policy engine
  • FreeRADIUS integration
  • Dynamic VLAN assignment
  • CoA / Disconnect dispatch
  • MAC registration & rogue
Data Plane

Telemetry & Push

Go + Python · Redis
  • RADIUS event collector
  • WebSocket real-time push
  • Redis Stream consumer
  • Prometheus metrics
  • Batch event processing
// 02 — Auth Flow

802.1X authentication flow

Device Connects Switch / AP RADIUS Request EAP Identity Identity Resolved Entra ID Policy Checked Group / CVE Access Granted VLAN assigned
// 03 — Services

Native deployment, no containers

portguard.service
Management Plane — FastAPI/uvicorn
Isolated system userAuto-restart on failure
portguard-ctrl.service
Control Plane — Go binary
Elevated privilegesmTLS to Management
portguard-radius-collector.service
Data Plane — RADIUS event collector
Isolated system userBatch event processing
portguard-dashboard-api.service
Data Plane — REST API + WebSocket
Isolated system userPrometheus metrics
portguard-redis.service
Redis instance — internal event bus
Unix socket onlyMemory limited
freeradius.service
FreeRADIUS — 802.1X / EAP auth server
UDP auth/accountingIsolated user
// 04 — Security Design

Built with security first

🔒

mTLS 1.3

All inter-plane communication is encrypted with mutual TLS 1.3. No plane can communicate without a valid certificate.

👤

Privilege Separation

Each service runs as a dedicated system user with only the permissions it needs. The web process cannot touch RADIUS config.

📋

Tamper-Evident Audit

Every configuration change and auth decision is logged with a SHA-256 chain. Any modification is immediately detectable.

🔐

JWT + Refresh Rotation

Admin sessions use short-lived JWT tokens with rotating refresh tokens. Session invalidation is immediate on logout.

🛡

No External Dependencies

PortGuard operates fully offline. No cloud sync, no call-home, no telemetry. Suitable for air-gapped environments.

🔑

License Cryptography

Licenses are signed with a private key that never leaves our infrastructure. Validation is local — no internet required.

// 05 — Changelog

What's new in v1.1.0

TypeChange
New Live event stream — WebSocket push, latency under 2 seconds
New Redis event bus with automatic circuit breaker
New Prometheus metrics endpoint for infrastructure monitoring
New Idle session timeout with activity tracking and warning modal
Perf Batch event processing — significant reduction in database contention
Perf Per-endpoint response cache — all dashboard endpoints optimized
Perf SQLite tuned for high-throughput read/write workloads
Fix Package manager output sanitized during automated updates