Prevent account sharing

Preventing account sharing is basically to lock each hotspot login account/ID (or access voucher) to a unique device ID (MAC address), or a set of unique device IDs, so that only the authorized devices can login to Wi-Fi hotspot using this ID.

This feature is mostly used in controlled Wi-Fi enviornment, where we want to

  1. prevent account sharing, so that users can't share their login ID with other people, because this ID is locked to account owner's unique device MAC address. This is particularly useful for selling premium Wi-Fi vouchers, to prevent the same voucher being shared by multiple parties.
  2. ensure trace-ability and accountability, so that we're very sure that this ID (if ever used to login to Wi-Fi hotspot) is used by the actual owner himself using his authorized device, because it can only be used to login from his device. This is very particularly important for security investigation. If anyone abuses the network access, using network access logs (which includes time-stamp, device ID, and IP address etc), we can easily trace back to the actual owner who can not deny this is not done by him (eg. he can not claim he lost his voucher or lend to someone else who used it etc).

There're two ways to implement account sharing prevention.

1. Manually lock each login ID with authorized device MAC.

This method manually adds device MAC addresses to each login ID. It's possible to one or add multiple device MAC to the same login ID.

This is done by administrator manually for each login ID, and it's a very tedious task. RADIUS --> Users, select target ID (username) --> Access Info --> Access Device, then from drop down, choose "Device ID (MAC address)". If you want a more authorized devices to use the same ID, uou can add more device MAC to the same ID by selecting and adding multiple times. eg. example below allows two devices to share ID (demouser).

This method can be very hard to manage when there're large amount of user accounts and each account needs to bind to their respective device MAC.

2. Auto lock each login ID with authorized device MAC upon first login (restrict unique devices)

This method automatically binds device MAC addresses to each login account, at the first time when login is successful. For below example, if we set "restrict unique devices" to 3, it means the first 3 devices MAC addresses will be auto tagged to this account and subsequently only these 3 devices can login with this account.

This method will save a lot of administrative efforts to manually add authorized MAC for each account.

NOTE: there's a huge difference between "No. of total unique devices" and "No. of concurrent device".

  • "No. of total unique devices - x" means only the first x devices which have logged in with this account can subsequently use the same account to login (the x devices MAC addresses are tagged to this account upon successful login).
  • "No. of concurrent device - x" means total x of devices can login at the same time. There's no checking of MAC addresses.