Implementing Simultaneous Session Control in a AAA RADIUS Server

One of the most frequently requested features of the RAD-Series RADIUS Server is simultaneous session control. Service Providers selling low cost flat rate Internet access cannot afford the abuse of users sharing accounts. Simultaneous session control addresses this problem by limiting the number of sessions granted to an account at any given time. The RAD-Series RADIUS Server goes beyond a check box implementation by making the number of simultaneous sessions allowed a configurable item on a per user basis.

As an example, let us look at a small ISP that wants to limit its users to two simultaneous sessions, maintains its users list in a Unix password file, and whose users logon as user@isp.com.

There are four configuration steps to restrict simultaneous session use:

1) Simultaneous session control requires the active session management provided by the LAS (Local Authentication Service). Therefore the realm, isp.com must be defined in las.conf as follows:

Realm isp.com
End-Realm

2) The realm must also be configured in the authfile. In this example the realm is configured for Unix password file authentication.

isp.com UNIX-PW

3) The RAD-Series RADIUS Server must load a finite state machine (FSM) table that supports the LAS (has las in its name). If the RADIUS server was installed with the default FSM table, check+policy+las.fsm, then the LAS is already supported.

4) By default, simultaneous use is set to one session when the LAS is enabled. To change this default to two sessions for our example, Simultaneous-Use will be added as a Check-Item to the DEFAULT entry in the users file.

DEFAULT Authentication-Type=Realm, Simultaneous-Use = 2

Simultaneous session control is an example of Authorization, the second A in AAA. As illustrated by this simple example, authorization adds value beyond simple authentication by further defining the conditions and limits of authorized use.