Limiting concurrent sessions (Simultaneous-Use)
Simultaneous-Use is a FreeRADIUS feature that restricts how many
sessions a user can keep active at the same time. When the maximum limit
is reached and the user attempts to start another session from a different
client device, the authorization is rejected with the following RADIUS
reply message:
You are already logged in - access denied
FreeRADIUS can enforce this check through its sql module, but that's
not multi-tenant aware: this can cause issues when a user belongs to
multiple organizations with different session limits, potentially
resulting in wrong limits being applied.
To address this, OpenWISP RADIUS provides a multi-tenant aware
Simultaneous-Use check in its authorization REST API endpoint.
Configuring Simultaneous-Use Check
Add the Simultaneous-Use RADIUS check to the desired RADIUS group by
following these steps:
In the admin interface, navigate to RADIUS in the left-hand menu.
Go to Groups.
Select the group you want to configure.
In the GROUP CHECKS section, click on Add another Group check.
Fill in the fields as follows:
Attribute:
Simultaneous-UseOperator:
:=Value:
1(or any number greater than 0; 1 limits users to one concurrent session)
Important
When using Simultaneous-Use, it is recommended to add an
Idle-Timeout RADIUS reply to the same RADIUS group, with a low
value (below 300 seconds). This ensures inactive sessions are cleared
quickly, preventing users from being blocked due to stale sessions.
For the same radius group, in the GROUP REPLIES section, click on Add another Group reply.
Fill in the fields as follows:
Attribute:
Idle-TimeoutOperator:
=Value:
240
Click on Save and continue editing at the bottom of the page.
Disabling the Simultaneous-Use check
The Simultaneous-Use feature is enabled by default.
It can be disabled with the OPENWISP_RADIUS_SIMULTANEOUS_USE_ENABLED setting.
This is useful if you already rely on another FreeRADIUS module to enforce
Simultaneous-Use and do not need the OpenWISP implementation.