Request Demo
Features Use Cases About Documentation Contact Request Demo

Creating Users

Add local network users to Warden

When to Create Local Users

If you're using an external identity provider like Active Directory or Google Workspace, your users already exist there - you don't need to create them in Warden. Warden will query your identity provider during authentication.

Create local users when:

  • You don't have an external directory
  • You need accounts for contractors or temporary workers
  • You want guest accounts that aren't in your main directory
  • You're testing before connecting to production AD

Creating a User

  1. Navigate to Users in the sidebar
  2. Click Add User
  3. Fill in the required fields:
    • Username - What they'll type when authenticating
    • Password - Must meet your password policy requirements
    • Group(s) - At least one group is required
  4. Add optional details (email, phone, description)
  5. Click Save

Username format: For RADIUS authentication, the username is usually just the plain name (e.g., jsmith). For LDAP, users might authenticate with their email or UPN format. Keep your format consistent!

User Settings Explained

Username

The identifier users will enter when authenticating. This should be unique and is case-insensitive for most authentication methods.

Password

Must comply with the password policy of the user's assigned group. Passwords are securely hashed using Argon2 - Warden never stores plaintext passwords.

Groups

Users must belong to at least one group. Groups determine password policies, RADIUS attributes, and are used in policy rules to control access.

Account Enabled

Toggle this off to disable a user without deleting them. Disabled users cannot authenticate but their account and history are preserved.

Password Expiration

If the user's group has password expiration enabled, you'll see when the password expires. You can also force an immediate password change on next login.

Custom Attributes

Add user-specific RADIUS attributes that override group-level settings. Useful for assigning individual VLANs or bandwidth limits to specific users.

Importing Users

Got a lot of users to add? Use the bulk import feature:

  1. Click Import Users on the Users page
  2. Download the CSV template
  3. Fill in your user data (one user per row)
  4. Upload the completed CSV
  5. Review the preview and confirm the import

CSV Format Example

username,password,email,groups,enabled
jsmith,TempPass123!,john.smith@company.com,employees,true
contractor1,SecureP@ss!,contractor@external.com,contractors,true

Security note: The CSV contains plaintext passwords during import. After import, delete the CSV file securely. Consider using the "force password change" option so users set their own passwords on first login.

Managing Existing Users

Editing a User

Click on any user to view their details. Click Edit to modify their settings. You can change everything except the username - if you need to change that, create a new user and disable the old one.

Resetting Passwords

On the user's detail page, click Reset Password. You can either set a specific password or generate a random one. Toggle "Require password change" to force them to set their own password on next login.

Disabling vs Deleting

Disable a user to immediately prevent authentication while keeping their account and audit history. This is reversible.

Delete a user to permanently remove them. Audit logs are preserved but the account cannot be recovered.

Two-Factor Authentication

Users can enroll in 2FA from their profile, or you can enable it for them:

  1. Edit the user
  2. In the 2FA section, click Enable 2FA
  3. A QR code appears - share this with the user to scan with their authenticator app
  4. Have them verify by entering a code from their app

Once enabled, the user will need to enter their TOTP code when authenticating. How they enter it (before or after password, separate prompt) depends on your policy configuration.

See our Two-Factor Authentication guide for more details on 2FA setup and RADIUS timeout considerations.

Troubleshooting

"Username already exists"

Usernames must be unique. If you're sure the user doesn't exist, check if there's a disabled user with that username - you'll need to delete or rename them first.

"Password doesn't meet requirements"

The password must comply with the group's password policy. Check the policy for minimum length, complexity requirements, and any restricted patterns.

User can't authenticate

Check these common issues:

  • Is the account enabled?
  • Has the password expired?
  • Is the user in a group that's allowed by the policy?
  • Is 2FA required but not set up?

Use NAC Tracer to see exactly what happened during the authentication attempt.

What's Next?

Back to Users & Groups Overview