Request Demo
Features Use Cases About Documentation Contact Request Demo

Policies Overview

Define how authentication works for your network

What Are Policies?

Policies are the heart of Warden's authentication logic. They define:

  • Who can authenticate - Which identity providers and groups are allowed
  • How they authenticate - Password, 2FA, certificate requirements
  • What happens on success - RADIUS attributes to return, VLANs to assign
  • When access is allowed - Time-based restrictions

Each host or host group is assigned a policy. When a user authenticates through that host, Warden evaluates the policy to determine whether to accept or reject.

How Policies Work

Host receives auth request
Policy is evaluated
Identity providers checked
Access rules applied
Accept + Attributes
or
Reject

Policy Components

Authentication Chain

The identity providers to try, in order. Warden checks each one until it finds the user or exhausts the list.

2FA Methods

Configure which 2FA methods are available. If any methods are configured, users must verify with at least one to authenticate.

Access Rules

Logic for allowing or denying users based on group membership. Supports AND/OR/NOT conditions.

Response Attributes

RADIUS attributes to return on successful authentication - VLANs, timeouts, vendor-specific attributes.

Time Restrictions

Limit when the policy is active. Useful for after-hours lockdowns or scheduled maintenance windows.

Fallback Behavior

What to do if no identity provider matches the user - reject, or try a fallback policy.

Common Policy Patterns

Standard Corporate

Single identity provider (Active Directory), TOTP configured for 2FA. Returns VLAN based on user's group membership.

Auth: AD/LDAP 2FA: TOTP VLANs: Group-based

High Security

Multiple identity providers for redundancy, TOTP with Email OTP fallback. Strict time restrictions. Limited to specific user groups.

Auth: Multi-IDP 2FA: TOTP + Email Time: Business hours

Guest Network

Local Warden users only (no AD). Short session timeouts. Limited bandwidth. Separate guest VLAN.

Auth: Local Timeout: 1 hour VLAN: Guest

Contractor Access

Specific user group allowed. Time restrictions to business hours. Password expiration aligned with contract end dates.

Group: Contractors Time: 9AM-6PM Expires: Contract end

Policy Inheritance

Settings can be inherited from system defaults or overridden at each level:

System Defaults Applies to all policies
Policy Settings Overrides system defaults
Host Group Can override policy settings
Individual Host Most specific, highest priority

This lets you set sensible defaults while allowing exceptions where needed.

What's Next?

Back to Help Overview