Request Demo
Features Use Cases About Documentation Contact Request Demo

Host Groups

Manage similar network devices together

Why Use Host Groups?

Host groups make managing multiple similar devices much easier. Instead of configuring each access point individually, create a group and configure once. Changes to the group automatically apply to all members.

Common uses for host groups:

  • Access Points - All APs for a building or campus
  • Edge Switches - User-facing switches with identical configs
  • VPN Endpoints - Multiple VPN concentrators
  • Branch Offices - All devices at a remote location

Creating a Host Group

  1. Navigate to Host Groups in the sidebar
  2. Click Add Group
  3. Enter a name and description
  4. Configure group settings (policy, RADIUS secret, etc.)
  5. Click Save

Naming tip: Use clear names that indicate what devices belong in the group. "Building_A_APs" is better than "Group1". You'll appreciate this when troubleshooting at 2am.

Group Settings

RADIUS Shared Secret

All hosts in the group share this secret. This means you configure the same secret on all devices in the group, making deployment and rotation simpler.

Easier to manage at scale
Simpler secret rotation
If compromised, affects all group members

Policy

The authentication policy for all hosts in this group. Individual hosts can override this if needed.

2FA Code Position

Where users should enter their 2FA code relative to their password. Set at the group level so all devices in the group behave consistently.

IP Range

Instead of adding hosts one by one, you can define an IP range. Any device sending RADIUS requests from an IP in this range will match this group.

Examples:
  • 10.0.10.0/24 - All IPs in 10.0.10.x
  • 192.168.1.100-192.168.1.150 - Specific range

Adding Hosts to a Group

There are two ways to add hosts to a group:

Method 1: When Creating the Host

When you add a new host, select the host group in the settings. The host will inherit the group's configuration.

Method 2: Using IP Ranges

Configure the group with an IP range. Any device sending from an IP in that range automatically matches the group - no need to add hosts individually.

Dynamic matching: IP range matching is great for large deployments where new devices are added frequently. As long as they're assigned IPs in the range, they'll work automatically.

Inheritance and Overrides

Hosts in a group inherit settings from the group, but you can override any setting at the individual host level:

System Defaults

Base settings for all hosts

Host Group

Overrides system defaults

Individual Host

Overrides group settings

This hierarchy means you can set sensible defaults at the group level, then customize specific hosts when needed without affecting the entire group.

Matching Priority

When a RADIUS request arrives, Warden matches the source IP in this order:

  1. Exact host match - A host configured with that specific IP
  2. Host group range match - An IP range that includes that IP
  3. Reject - Unknown host if no match found

If an IP matches both a specific host and a group range, the specific host takes precedence.

Best Practices

  • Group by function, not just location - "All_Access_Points" makes more sense than "Floor_3" if all APs have the same config
  • Use IP ranges for dynamic environments - Great for cloud or DHCP-based network devices
  • Keep critical devices separate - Core switches and firewalls might warrant individual host entries for specific settings
  • Document your groups - Use the description field to note what devices should be in each group
  • Plan for secret rotation - Shared secrets are easier to rotate when devices are grouped logically

Common Scenarios

Campus WiFi Deployment

Create one host group for all access points with an IP range covering your AP subnet. All APs share the same RADIUS secret and policy. When you add new APs, they work automatically.

Multi-Site Enterprise

Create a host group per site. Each site has its own IP range and can have different policies if needed. Site A might require 2FA while Site B (more secure physical location) doesn't.

Tiered Security

Create groups based on security level: "High_Security_Hosts" for data center equipment, "Standard_Hosts" for general infrastructure. Apply stricter policies to the high security group.

What's Next?

Back to Hosts Overview