Security Best Practices

2FA should be required for all admin accounts and strongly encouraged (or required) for network users, especially those with elevated access.

Require minimum 12+ characters. Focus on length over complexity - a long passphrase beats a short complex password. Consider not forcing periodic changes unless there's a breach indicator.

Configure appropriate session timeouts. Admin sessions should expire after periods of inactivity. Network sessions can have longer timeouts but consider your risk profile.

Enable account lockout after failed login attempts (e.g., 5 failures = 15 minute lockout). This slows brute force attacks without permanently locking legitimate users.

Put Warden's admin interface on a separate management VLAN. Only allow access from trusted admin workstations, not the general network.

Only open the ports you need: 1812/1813 UDP for RADIUS, 443 for admin portal. Restrict source IPs for the admin portal to known admin networks.

• RADIUS Auth: UDP 1812 from network devices only
• RADIUS Accounting: UDP 1813 from network devices only
• Admin Portal: TCP 443 from admin networks only

Use randomly generated secrets of at least 16 characters. Unique secrets per host or host group - if one is compromised, others remain secure.

Use LDAPS (not plain LDAP) for identity provider connections. Use HTTPS for the admin portal. Consider EAP-TLS for highest-security 802.1X.

Give admins only the permissions they need. Not everyone needs full admin access. Use role-based access control if available.

Each admin should have their own account - no shared credentials. This enables proper audit trails and accountability.

Regularly review admin activity logs for unauthorized changes. Set up alerts for sensitive operations like policy changes or new admin accounts.

Two-factor authentication should be mandatory for all admin accounts, no exceptions. Consider hardware tokens for highest-security environments.

Apply security updates promptly. Subscribe to NocTel security announcements. Test updates in a non-production environment first when possible.

Back up Warden's configuration and database regularly. Test restores periodically. Store backups securely - they contain sensitive configuration.

Monitor certificate expiration dates. Plan renewals in advance. Use certificates from trusted CAs for external-facing services.

Remove disabled accounts that are no longer needed. Clean up old hosts and policies. Audit group memberships periodically.

Set up alerts for: multiple failed logins, admin logins from new locations, configuration changes, certificate expiration, and system errors.

Forward logs to your SIEM for correlation with other security events. This helps detect patterns across your infrastructure.

Know what to do if Warden is compromised: who to contact, how to isolate it, how to force re-authentication of all users.