Managing Groups
Organize users and apply consistent settings
What Groups Do
Groups are the foundation of user management in Warden. Every user belongs to at least one group, and groups control:
- Password policies - Complexity, length, expiration rules
- RADIUS attributes - VLANs, bandwidth limits, session settings
- Access controls - Time-of-day restrictions, allowed days
- Policy matching - Groups are used in policy rules to grant or deny access
Creating a Group
- Navigate to Groups in the sidebar
- Click Add Group
- Enter a name and description
- Configure the settings you need (see below)
- Click Save
Naming tip: Use clear, descriptive names that indicate the group's purpose. "IT_Department" is better than "Group1". You'll thank yourself later when building policies.
Group Settings
Basic Information
Password Policy
These settings apply to local users in this group. External users (from AD, LDAP, etc.) are governed by their source directory's password policies.
Time Restrictions
Limit when users in this group can authenticate. Useful for contractors or limiting after-hours access.
RADIUS Attributes
These attributes are returned to network devices when users from this group successfully authenticate. They tell your equipment how to treat the user.
VLAN Assignment
To dynamically assign users to VLANs based on their group, configure these RADIUS attributes:
When configured, users in this group will be placed on the specified VLAN when connecting to 802.1X-enabled ports or wireless networks.
Make sure: The VLAN must exist on your network equipment and be allowed on the port/SSID where users connect. If the VLAN doesn't exist, most switches will fall back to the default VLAN or reject the connection.
Using Groups in Policies
Groups really shine when combined with policies. Here's how they work together:
Allow/Deny by Group
In your policy's access rules, you can specify which groups are allowed to authenticate. For example: "Allow IT_Admins OR Allow Network_Team" means users must be in one of those groups to get access.
Different VLANs by Group
Create separate groups for each VLAN you want to assign. Users in "Engineering" get VLAN 100, users in "Sales" get VLAN 200. The policy's response attributes can reference group-level settings.
Tiered Access
Create groups like "Full_Access" and "Limited_Access" with different session timeouts and bandwidth limits. Assign users based on their role or trust level.
Syncing Groups from External Directories
When using LDAP or Active Directory identity providers, you can sync groups automatically:
- Configure the group sync settings on your identity provider
- Specify which OUs or group DNs to sync from
- Warden will create local groups matching your directory structure
- User group memberships are synchronized during authentication
This lets you manage groups in AD and have Warden automatically pick up changes - no duplicate management needed.
Best Practices
- Keep it simple - Fewer, well-defined groups are easier to manage than many overlapping ones
- Use descriptive names - Future you will appreciate "Engineering_FullAccess" over "GRP_001"
- Document your structure - Note which VLANs and attributes each group uses
- Test changes - Use NAC Tracer to verify group settings work as expected before rolling out broadly
- Review regularly - Audit group memberships periodically, especially for sensitive groups