Groups
Groups let you apply shared settings to multiple users at once. Instead of configuring bandwidth limits, session timeouts, or VLAN assignments for each user individually, you create a group with these settings and add users to it.
Creating Groups
- Navigate to Users > Groups
- Click Add Group
- Enter a group name and description
- Configure group attributes
- Click Save
Group Properties
| Field | Description |
|---|---|
| Name | Unique identifier for the group |
| Description | Optional description of the group's purpose |
| Priority | Default priority when users are added |
Group Attributes
Groups can have both check and reply attributes that members inherit.
Common Use Cases
Bandwidth Limiting
Session Time Limits
Concurrent Session Limits
Check Attribute: Simultaneous-Use := 2
VLAN Assignment
Group Membership
Adding Users to Groups
- Navigate to the user's profile
- Click Add to Group
- Select the group
- Set the priority (1-10, where 1 is highest)
- Click Save
Priority Evaluation
When a user belongs to multiple groups:
- Groups are evaluated in priority order (1 first, then 2, etc.)
- Check attributes are matched against the authentication request
- When all check attributes of a group match, reply attributes are returned
- Evaluation stops at the first matching group
Example
A user belongs to:
- Premium Users (Priority 1) - High bandwidth
- Staff (Priority 2) - Standard bandwidth
If Premium Users' check attributes match, the user gets high bandwidth settings and Staff group is not evaluated.
Organizational Units
Organizational Units (OUs) provide an alternative way to organize users hierarchically.
Key Differences
| Feature | Groups | Organizational Units |
|---|---|---|
| Membership | Multiple per user | One per user |
| Hierarchy | Flat | Hierarchical |
| Attribute inheritance | Via priority | From parent OU |
Best Practices
- Use descriptive names - Make group purposes clear
- Document policies - Use descriptions to explain group settings
- Test thoroughly - Verify attribute inheritance works as expected
- Review regularly - Remove unused groups and update policies as needed
- Consider priority carefully - Plan the evaluation order for overlapping groups
Frequently Asked Questions
Q: What is the difference between groups and organizational units?
Groups are flat and a user can belong to multiple groups simultaneously, with priority determining evaluation order. Organizational units (OUs) are hierarchical and each user belongs to only one OU. Groups are best for applying RADIUS policies (bandwidth, VLANs), while OUs are better for organizational hierarchy.
Q: How does group priority affect attribute assignment?
When a user belongs to multiple groups, IronWiFi evaluates them in priority order (1 first, then 2, etc.). For each group, the RADIUS server checks whether all check attributes match the authentication request. The first matching group's reply attributes are returned, and evaluation stops. Lower-priority groups are not evaluated.
Q: Can I use groups to assign different bandwidth limits to different users?
Yes. Create separate groups with different
WISPr-Bandwidth-Max-Down
WISPr-Bandwidth-Max-Up
Q: What happens if a user matches no group?
If no group's check attributes match, only the user's own reply attributes are returned. If the user has no reply attributes configured, only default authentication settings apply. The user is still authenticated, but no group-level policies (bandwidth, VLAN, timeout) are enforced.
Related Topics
- User Account Management -- create and manage the users who belong to groups
- RADIUS Attributes Reference -- full list of check and reply attributes for policies
- Network Configuration -- RADIUS settings that groups apply policies against
- Captive Portal Configuration -- assign default groups to auto-registered guest users
- Vouchers -- apply group-based limits to voucher-authenticated sessions
Was this page helpful?