I use freeradius to authenticate users and I have configured an unique session per user (Simultaneous-Use := 1). Freeradius has its own variable to handle who is authenticate (or you can use a database, of course). But what happens?...In some cases there is a inconsistency between what radius thinks and the reality. For example, in some cases user could be disconnected and the radius server restart at the same time, so I have sticky sessions because Radius thinks user is authenticated but he is not, so it keeps trying to login until radius memory is cleaned. So, the only way to keep consistency is asking ZD the real state of the client.