Resolved

I just upgraded to the newest stable release.

One thing I noticed mentioned in the changelog
* fixed concurrent login detection, now case-insensitive

Which I believe was meant for Captive Portal when you disable concurrent logins.

It does work in some ways, but not in others.

Example, I login with kightmb3, then login with KnightMB3 which is the same username just different case. Captive Portal kicks out the old knightmb3 like it should.

In the next screen-shot, a user logs in as ADRIANNA first, then Adrianna afterward. This kicks out the ADRIANNA (all caps username) like it should. But then the user logs in again with ADRIANNA and it sticks as per the third screen shot where both are now logged in, even though "disable concurrent logins" is enabled on Captive Portal.

So, the bug is easy to reproduce, though I'm not sure if it's because they are using All CAPS or just merely logging in right after being kicked out causes a bug in the way it handles concurrent logins.

Any feedback would be greatly appreciated. 

I've solved this issue, turns out NOT to be a bug in m0n0wall.

Here's the deal, you login with a username, then login from another machine with the same username with a space at the end, so you can have "knightmb" or "knightmb " both return a valid login from the radius server. I don't know if this affects the built in user-manager for the captive portal of m0n0wall (could anyone test to see?) but this may end just being a bug with the radius server (or some setting I'm missing somewhere) that allows that kind of name trimming login.

The reason it always puzzled me was because from the webgui in m0n0wall, you never see that "space" at the end of the log file so it looks like someone logged in twice with the same username. Sneaky users!