A complete NAC appliance for SMBs and MSPs — authenticates every device, enforces policy automatically, deploys in under 30 minutes.
| Capability | What it means for you |
|---|---|
| 802.1X port & wireless authentication | Devices must prove who they are before they connect — not after an incident |
| Dynamic VLAN assignment | Staff, guests and contractors land on the right segment automatically — no manual switch work |
| Microsoft Entra ID / LDAP sync | Your existing user directory drives network access — no duplicate identity management |
| Captive portal for guest access | Guests reach an isolated network through a branded page — never your internal systems |
| BYOD device policy enforcement | Personal devices that don't meet your baseline are blocked or redirected automatically |
| EAP-TLS certificate authentication | High-assurance device trust with no passwords to steal, rotate or share |
| CVE / CVSS vulnerability awareness | Know which connected devices have known security weaknesses before attackers find them |
| MSP multi-tenant dashboard | Manage all client environments from one platform — fully isolated per client |
| GPG-signed updates | Every update verified before installation — supply-chain secure by design |
| Compliance evidence export | Structured audit trail for ISO 27001 A.9, Cyber Essentials and SOC 2 — always ready |
The most widely deployed EAP method. Users authenticate with their AD/Entra ID username and password. No certificates required on the client side.
Mutual certificate authentication — the strongest EAP method. Both client and server present certificates. Ideal for managed corporate devices.
Tunneled TLS with PAP inner auth. Useful for Linux clients and legacy devices that don't support PEAP natively.
Multiple EAP methods can be chained. PortGuard tries each in order based on client capability, falling back gracefully.
Admin portal login via Microsoft Entra ID SAML. No separate PortGuard admin accounts needed — your IT team uses their corporate credentials.
Guest and BYOD users authenticate via Microsoft on the captive portal. Full OIDC code flow with MFA enforcement from Conditional Access policies.
AD groups sync to PortGuard continuously. When a user is added to "Finance" in Entra ID, their VLAN assignment updates automatically on next auth.
If Entra ID is unreachable, PortGuard can fall back to a local LDAP server or its internal user database — ensuring no single point of failure.
Map AD groups or LDAP OUs directly to VLANs. A user in "Finance" always lands on VLAN 20, regardless of which switch port they connect to.
Assign VLANs based on device type (laptop, printer, IP phone, IoT). MAC OUI prefix matching with manual override capability.
Restrict VLAN access by time of day. After-hours connections can be automatically placed in a limited-access VLAN or rejected entirely.
When a user's group changes mid-session, PortGuard sends a CoA to the switch — no disconnect required, VLAN changes live.
Separate portal profiles for Corporate, BYOD, and Guest — each with its own auth method, VLAN, bandwidth cap, and session duration.
Reception staff generate time-limited, single-use vouchers for visitors. Batch generation, CSV export, and email delivery supported.
BYOD users hit the portal and click "Sign in with Microsoft". After OIDC auth, the correct VLAN is assigned automatically — no IT involvement needed.
Per-profile bandwidth limits (up/down in kbps). Guests get limited bandwidth, employees get full speed — enforced via RADIUS attributes.
Devices are continuously checked against the NVD CVE database. Configurable thresholds — a device with a CVSS 9.x vulnerability can be auto-quarantined.
Every unknown MAC attempting authentication triggers an immediate security event. Auto-block with configurable whitelist and SNMP trap dispatch.
Brute-force detection at the RADIUS level. Configurable failure thresholds per NAS and per user, with automatic lockout and alert.
All certificates (server TLS, EAP CA, client certs) are monitored for expiry. Alerts fire at 60, 30, and 7 days before expiration.
All dashboard widgets update via WebSocket push — no polling. Auth events appear within 2 seconds of occurrence.
Native SNMPv2c/v3 with a ready-to-use PRTG device template exposing 28 custom OIDs — RADIUS sessions, rejects, VLAN usage, EAP failures.
10 operational metrics exported on localhost:9753/metrics. Compatible with Grafana, Alertmanager, and any Prometheus-compatible system.
All security events and auth decisions can be forwarded to a remote syslog server — compatible with Splunk, Graylog, and any SIEM.
30-day trial with full Enterprise access. No credit card required.