Prevent account sharing

Preventing account sharing is basically to lock each hotspot login account/ID (or access voucher) to a unique device ID (MAC address), or a set of unique device IDs, so that only the authorized devices can login to Wi-Fi hotspot using this ID.

This feature is mostly used in controlled Wi-Fi enviornment, where we want to

  1. prevent account sharing, so that users can't share their login ID with other people, because this ID is locked to account owner's unique device MAC address. This is particularly useful for selling premium Wi-Fi vouchers, to prevent the same voucher being shared by multiple parties.
  2. ensure trace-ability and accountability, so that we're very sure that this ID (if ever used to login to Wi-Fi hotspot) is used by the actual owner himself using his authorized device, because it can only be used to login from his device. This is very particularly important for security investigation. If anyone abuses the network access, using network access logs (which includes time-stamp, device ID, and IP address etc), we can easily trace back to the actual owner who can not deny this is not done by him (eg. he can not claim he lost his voucher or lend to someone else who used it etc).

There're two ways to implement account sharing prevention.

1. Manually lock each login ID with authorized device MAC.

This method manually adds device MAC addresses to each login ID. It's possible to one or add multiple device MAC to the same login ID.

This is done by administrator manually for each login ID, and it's a very tedious task. RADIUS --> Users, select target ID (username) --> Access Info --> Access Device, then from drop down, choose "Device ID (MAC address)". If you want a more authorized devices to use the same ID, uou can add more device MAC to the same ID by selecting and adding multiple times. eg. example below allows two devices to share ID (demouser).

This method can be very hard to manage when there're large amount of user accounts and each account needs to bind to their respective device MAC.

2. Auto lock each login ID with authorized device MAC.

This method automatically binds device MAC addresses to each login account, at the first time when login is successful. In this case, the account is created without the need to add the device MAC, which is auto tagged to its respective account upon first successful connection.

This method will save a lot of administrative efforts, but may not be as secure as option #1, because we are not checking the device MAC for first time login and assumes it's the authorized device and binds its MAC to the login ID upon successful authentication, but it serves the purpose of preventing account sharing, so that once this account is ever activated on a device, it can only be used by the same device.