Session Management

Overview

Session management controls the lifecycle of user connections on your WiFi network. IronWiFi uses RADIUS attributes to enforce session timeouts, idle disconnections, concurrent session limits, and session tracking. Proper session management ensures security, fair resource allocation, and compliance with access policies.

Session Lifecycle

How WiFi Sessions Work with RADIUS

Session Attributes

Attribute	Type	Description
Session-Timeout	reply	Maximum session duration in seconds
Idle-Timeout	reply	Maximum idle time before disconnect (seconds)
Simultaneous-Use	check	Maximum number of concurrent sessions
Acct-Interim-Interval	reply	How often the AP sends accounting updates (seconds)
Termination-Action	reply	What happens when Session-Timeout expires

Session Timeouts

Configuring Session-Timeout

The

Session-Timeout

attribute sets the maximum duration of a user's session. When the timeout expires, the AP disconnects the user.

Setting Session-Timeout on a group:

1. Navigate to Users > Groups in the IronWiFi Console
2. Select or create a group
3. Add the reply attribute:

Reply Attribute: Session-Timeout := 3600

This disconnects users after 1 hour (3600 seconds).

Common Session-Timeout Values

Duration	Value (seconds)	Use Case
30 minutes	1800	Public WiFi, high-traffic venues
1 hour	3600	Guest WiFi, short-term access
2 hours	7200	Conference room WiFi, public library
4 hours	14400	Coworking spaces, all-day visitors
8 hours	28800	Employee WiFi (single shift)
12 hours	43200	Employee WiFi (extended shift)
24 hours	86400	Hotel guests, patient WiFi

Re-Authentication Behavior

When Session-Timeout expires:

1. The AP disconnects the user
2. The user's device automatically attempts to reconnect
3. IronWiFi authenticates the user again (if credentials are saved)
4. A new session begins with a fresh timeout

note

The user experience during re-authentication varies by device. Most devices reconnect automatically within seconds if credentials are saved. Users may notice a brief WiFi disconnection.

Termination-Action Attribute

Control what happens when Session-Timeout expires:

Reply Attribute: Termination-Action := RADIUS-Request

Value	Behavior
Default (0)	Disconnect the user
RADIUS-Request (1)	Re-authenticate the user without disconnecting (if AP supports it)

tip

Use

Termination-Action := RADIUS-Request

for employee networks where you want periodic re-authentication without disrupting active connections. Not all APs support this -- test with your specific hardware.

Idle Timeouts

Configuring Idle-Timeout

The

Idle-Timeout

attribute disconnects users who have been inactive for a specified period. This frees resources from users who have left the area but remain connected.

Reply Attribute: Idle-Timeout := 600

This disconnects users after 10 minutes of inactivity.

Common Idle-Timeout Values

Duration	Value (seconds)	Use Case
5 minutes	300	High-demand public WiFi (airports, events)
10 minutes	600	Guest WiFi, retail
30 minutes	1800	Office WiFi
1 hour	3600	Hotel, healthcare
No idle timeout	(omit attribute)	Always-connected devices, IoT

When to Use Idle Timeouts

• Public WiFi: Free up resources from users who have left
• High-density venues: Events, conferences, airports
• Licensed user limits: Reduce concurrent session count when capacity is constrained

When to Avoid Idle Timeouts

• IoT devices: Sensors and devices that transmit infrequently may appear idle
• VoIP phones: Idle between calls but must remain connected
• Background sync: Devices with periodic sync may fall below the idle threshold

warning

Set Idle-Timeout longer than the longest expected gap between user activity. If a user reads a long article (5+ minutes without network traffic), a short Idle-Timeout will disconnect them.

Concurrent Session Limits

Configuring Simultaneous-Use

The

Simultaneous-Use

attribute limits how many devices a single user can connect simultaneously:

Check Attribute: Simultaneous-Use := 2

This allows the user to have at most 2 active sessions (e.g., laptop and phone).

How Simultaneous-Use Works

1. User authenticates on Device A -- Session count: 1 (allowed)
2. User authenticates on Device B -- Session count: 2 (allowed, limit is 2)
3. User tries to authenticate on Device C -- Session count would be 3 (rejected)

The RADIUS server checks the current session count before allowing authentication.

note

Simultaneous-Use

requires accurate RADIUS accounting. If the AP does not send Accounting-Stop when a user disconnects, the session counter may not decrement correctly. See Troubleshooting Session Count Issues below.

Common Simultaneous-Use Values

Value	Use Case
1	Strict: one device per user (shared accounts, vouchers)
2	Standard: laptop + phone
3	Flexible: laptop + phone + tablet
5	Generous: multiple devices per user
(omit)	No limit on concurrent sessions

Setting Per-Group Concurrent Limits

Apply concurrent limits via group policies:

1. Navigate to Users > Groups
2. Select the group
3. Add the check attribute:

Check Attribute: Simultaneous-Use := 2

All users in this group are limited to 2 concurrent sessions.

Voucher Session Limits

For voucher-based guest WiFi, limit each voucher to a single device:

Check Attribute: Simultaneous-Use := 1

This prevents a voucher code from being shared with multiple people. See Vouchers for voucher configuration.

Session Tracking

RADIUS Accounting

RADIUS accounting tracks active sessions and usage data. IronWiFi uses accounting to enforce concurrent session limits and provide usage reporting.

Enabling Accounting:

Accounting must be enabled on your access points. Configure the accounting server with:

• Accounting Server IP: Same as the authentication server
• Accounting Port: From your Network settings in the IronWiFi Console
• Shared Secret: Same as the authentication shared secret

Accounting Interim Interval

The

Acct-Interim-Interval

attribute controls how frequently the AP sends session updates:

Reply Attribute: Acct-Interim-Interval := 300

What interim updates contain:

Field	Description
Acct-Session-Time	Seconds since session started
Acct-Input-Octets	Bytes uploaded by the user
Acct-Output-Octets	Bytes downloaded by the user
Acct-Input-Packets	Packets uploaded
Acct-Output-Packets	Packets downloaded

Recommended Interim Intervals

Interval	Value (seconds)	Use Case
1 minute	60	High-granularity monitoring (increases accounting load)
5 minutes	300	Standard for most deployments
10 minutes	600	Large deployments with many users
15 minutes	900	Low-priority networks, minimal accounting overhead

tip

300 seconds (5 minutes) is the recommended default. Shorter intervals provide more granular data but increase the accounting traffic between your APs and IronWiFi.

Viewing Active Sessions

Monitor currently active sessions:

1. Navigate to Logs > Accounting in the IronWiFi Console
2. Filter for active sessions (no stop record)
3. View session details including:
   • Username
   • MAC address
   • Session start time
   • Session duration
   • Data usage
   • Assigned VLAN and bandwidth

Change of Authorization (CoA)

Disconnecting Active Sessions

Terminate a user's session immediately without waiting for timeout:

1. Navigate to Users > select the user
2. Click Disconnect to send a RADIUS Disconnect-Request to the AP
3. The AP terminates the user's session

This requires the AP to support RADIUS CoA (RFC 5176). Most modern enterprise APs support CoA.

Updating Session Attributes

Change a user's session attributes without disconnecting:

1. Modify the user's group or attributes in the IronWiFi Console
2. Send a CoA request to the AP with the updated attributes
3. The AP applies the new attributes to the active session

Use cases:

• Upgrade or downgrade bandwidth mid-session
• Change VLAN assignment
• Update session timeout

note

CoA support varies by AP vendor. Some APs support only Disconnect-Request (session termination) and not CoA-Request (attribute update). Check your AP vendor's documentation.

Session Policies by Use Case

Employee WiFi

Guest WiFi

IoT / Medical Devices

Event / Conference WiFi

Hotel Guest WiFi

Troubleshooting

Session-Timeout Not Enforced

Symptoms: Users remain connected beyond the configured Session-Timeout.

Cause	Solution
Attribute not in Access-Accept	Check authentication logs for the Session-Timeout attribute
AP ignores Session-Timeout	Verify AP supports RADIUS Session-Timeout (check vendor docs)
User auto-reconnects immediately	This is expected behavior -- the session is terminated and a new one begins
Attribute set on user overrides group	Check for conflicting user-level attributes

Troubleshooting Session Count Issues

Symptoms:

Simultaneous-Use

rejects users even though they have fewer active devices than the limit.

Common causes:

1. Stale sessions in accounting: The AP did not send Accounting-Stop for a previous session

   • Fix: Wait for IronWiFi to expire the stale session, or manually clear it

2. AP not sending Accounting-Stop: When users disconnect abruptly (walk away, device sleeps)

   • Fix: Configure accounting on the AP and enable CoA; reduce Session-Timeout to ensure periodic cleanup

3. Multiple APs: User roams between APs, and the old AP does not send Accounting-Stop

   • Fix: Enable 802.11r/802.11k for better roaming; configure shorter accounting intervals

Users Disconnected Too Frequently

Symptoms: Users complain about frequent disconnections.

Cause	Solution
Session-Timeout too short	Increase to match the expected usage duration
Idle-Timeout too short	Increase Idle-Timeout or remove it for the user's group
Aggressive AP roaming settings	Adjust AP minimum RSSI and roaming thresholds
Certificate expiration	Check for expiring client certificates

Accounting Data Missing

Symptoms: No session data in the IronWiFi Console accounting logs.

Cause	Solution
Accounting not enabled on AP	Configure the RADIUS accounting server on your AP
Wrong accounting port	Verify the port matches the one in IronWiFi Console
Wrong shared secret	Shared secret must match exactly for accounting
Firewall blocking accounting	Allow UDP traffic to IronWiFi on the accounting port

Best Practices

1. Match timeouts to use cases -- Employee shifts, guest durations, event lengths
2. Always enable accounting -- Required for session tracking and concurrent limits
3. Use group policies -- Apply session settings via groups, not individual users
4. Set reasonable idle timeouts -- Too short frustrates users; too long wastes resources
5. Monitor session counts -- Track peak concurrent sessions to plan capacity
6. Test session limits -- Verify Simultaneous-Use works by connecting multiple devices
7. Configure interim accounting -- 300 seconds is the recommended default
8. Document session policies -- Maintain a reference of timeout values for each user type

Related Topics

• Attributes -- Complete RADIUS attribute reference
• Groups -- Group-based policy management
• Bandwidth Management -- Bandwidth limits and QoS
• Users -- User account management
• Vouchers -- Voucher-based access with session limits
• Device Management -- Device registration and lifecycle
• Troubleshooting -- General troubleshooting