rediswho and Simultaneous-Use

[Alan DeKok]

On Oct 8, 2025, at 8:46 AM, Nitzan Tzelniker via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> I’m working on implementing a Simultaneous-Use check using the
> rediswho module in the FreeRADIUS 3.2 branch.
> The approach is inspired by the blog post “Preventing Fraudulent
> Logins with a Session Database” (which unfortunately appears to be
> offline).

  That happens.  It's also why we don't recommend using third-party documentation.  Not only is most of it wrong, but it tends to disappear over time.

> At this stage, I’m successfully writing accounting records into Redis
> through rediswho. However, I haven’t found any documentation or
> examples describing how to query Redis for Simultaneous-Use checking
> and verification — specifically, the equivalent of the
> simul_count_query and simul_verify_query mechanisms used in the SQL
> module

  Hmm, yes.  That does appear to be missing.  We'd have to add code to the rlm_rediswho module in order to support that.

> If anyone has implemented this or can provide guidance on best
> practices for performing Simultaneous-Use checks with rediswho, I
> would appreciate any insights or references.

  I think it would require code changes.  The Simultaneous-Use functionality does some odd internal magic IIRC.

  You might be able to get away with manual redis queries, but I haven't looked into that.

> Additionally, I noticed that the default rediswho configuration in
> both versions 3.2 and 4.0 uses the same insert operation for all
> Acct-Status-Type values. As a result, when querying the Redis, it’s
> not possible to distinguish between sessions that have terminated with
> an Acct-Status-Type = Stop and those that are still active.

  Ah, good point.  That should be fixed, too.

  I'll make some notes in GitHub.

  Alan DeKok.