Skip to main content

Check-Out & Expiry

Check-out marks the end of a visit. It revokes the visitor's WiFi credentials and terminates their active network sessions. Atrium supports both manual check-out and automatic expiry.

Manual check-out

  1. Open the Dashboard and navigate to the On Site tab.
  2. Find the visitor's visit.
  3. Open the row actions menu (⋯) and click Check Out.
  4. Confirm the check-out in the dialog ("Check out [Name]?").

The visit transitions to "checked out" and moves to the Completed tab with a gray "Left" badge.

Automatic expiry

If a visitor doesn't check out manually, Atrium automatically expires the visit when the expected departure time passes. The system periodically scans for overdue visits and transitions them from "checked in" to "expired."

Expired visits behave identically to checked-out visits from a security perspective: WiFi credentials are revoked and active sessions are terminated. The only difference is the status label — "expired" instead of "checked out" — which indicates that the visitor didn't formally check out.

Accuracy of the on-site list

For the On Site tab to serve as a reliable evacuation list, visitors should check out when they leave. Automatic expiry is a safety net, not a substitute for check-out. If your expected departure times are generous (e.g., set to end of business day), a visitor who leaves at noon will still appear as "On Site" until the visit expires.

What happens on check-out or expiry

  1. WiFi voucher revocation — The visitor's WLAN credentials are invalidated. No new connections can be established.
  2. Active session termination — If an Atrium Agent is connected, it sends a disconnect command to the firewall to terminate any active WiFi sessions for the visitor. This uses vendor-specific protocols (CoA/Disconnect-Message per RFC 5176 or vendor REST APIs). Session termination is best-effort — if the firewall doesn't confirm, the failure is logged and surfaced in the dashboard.
  3. Event emission — A visitor.checked_out or visitor.expired event is emitted. Downstream consumers handle CRM sync (logging the visit) and audit logging.
  4. Dashboard update — The visit moves to the Completed tab across all active dashboard sessions.

Why session termination is best-effort

Terminating an active WiFi session on a firewall is inherently unreliable. The firewall might be temporarily unreachable, the CoA/DM message might be dropped, or the firewall's implementation might not match the expected protocol behavior. Atrium tracks termination results and surfaces failures — but it cannot guarantee that every session is terminated instantly.

In practice, this means: when a visit ends, the credentials stop working for new connections immediately (RADIUS rejects them). Existing sessions are terminated with high reliability but not with a guarantee. Sessions that survive termination will eventually time out via the firewall's own session timeout settings.

For troubleshooting termination failures, see Network Troubleshooting.