freeradius exec module only works in debug mode (freeradius -X)

Mon Aug 14 14:41:26 UTC 2023

Hi all,

first of all, thank you for all the time and effort you have put into the Freeradius project!

Sadly, I have run into a small issue, that I cannot figure out why it happens:

In my sites-enabled/default file, I have written a small „Info Mail“ script, which basically just sends out an email with the rejected MAC address of a client:

#First I check if the device MAC address is in my database, if not, send out a mail and reject the Access-Request
if("%{sql:SELECT COUNT(*) FROM hw WHERE macad1 = '%{Calling-Station-ID}' OR macad2 = '%{Calling-Station-ID}' OR macad3 = '%{Calling-Station-ID}'}" == 0){

                %{exec:/usr/bin/sh -c "echo Unknown device '%{Calling-Station-ID}' at '%{Called-Station-ID}'. This device received a timeout of 5 minutes! | mailx -a 'From:radius001 at stud.hs-coburg.de' -s '*** Security-Message ***' Calvin.haertl at stud.hs-coburg.de;echo NAC was activated!"}

                reject
        }

In the debug mode (freeradius -X) everything works out great, and the mail gets sent out:

rlm_sql (sql): Reserved connection (1)
rlm_sql (sql): Released connection (1)
rlm_sql (sql): Reserved connection (2)
rlm_sql (sql): Released connection (2)
rlm_sql (sql): Reserved connection (3)
(0)     Executing select query: SELECT COUNT(*) FROM hw WHERE macad1 = '54:99:63:c0:11:4a' OR macad2 = '54:99:63:c0:11:4a' OR macad3 = '54:99:63:c0:11:4a'
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
rlm_sql (sql): Released connection (3)
(0)     EXPAND %{sql:SELECT COUNT(*) FROM hw WHERE macad1 = '%{Calling-Station-ID}' OR macad2 = '%{Calling-Station-ID}' OR macad3 = '%{Calling-Station-ID}'}
(0)        --> 0
(0)     if ("%{sql:SELECT COUNT(*) FROM hw WHERE macad1 = '%{Calling-Station-ID}' OR macad2 = '%{Calling-Station-ID}' OR macad3 = '%{Calling-Station-ID}'}" == 0) -> TRUE
(0)     if ("%{sql:SELECT COUNT(*) FROM hw WHERE macad1 = '%{Calling-Station-ID}' OR macad2 = '%{Calling-Station-ID}' OR macad3 = '%{Calling-Station-ID}'}" == 0) {
(0)       Executing: /usr/bin/sh -c " echo Unknown device '%{Calling-Station-ID}' at '%{Called-Station-ID}'. This device received a timeout of 5 minutes! | mailx -a 'From:radius001 at stud.hs-coburg.de' -s '***Security-Message***' Calvin.haertl at stud.hs-coburg.de;echo NAC was activated!“:
(0)       Program returned code (0) and output 'NAC was activated!'
(0)       EXPAND %{exec:/usr/bin/sh -c "echo Unknown device '%{Calling-Station-ID}' at '%{Called-Station-ID}'. This device received a timeout of 5 minutes! | mailx -a 'From:radius001 at stud.hs-coburg.de' -s '*** Security-Message ***' Calvin.haertl at stud.hs-coburg.de;echo NAC was activated!"}
(0)          --> NAC was activated!
(0)       [reject] = reject
(0)     } # if ("%{sql:SELECT COUNT(*) FROM hw WHERE macad1 = '%{Calling-Station-ID}' OR macad2 = '%{Calling-Station-ID}' OR macad3 = '%{Calling-Station-ID}'}" == 0) = reject
(0)   } # authorize = reject
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> asd
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0) eap: Request was previously rejected, inserting EAP-Failure
(0) eap: Sending EAP Failure (code 4) ID 1 length 4
(0)     [eap] = updated
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.2 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 92 from 10.11.1.17:1812 to 10.11.17.249:60492 length 44
(0)   EAP-Message = 0x04010004
(0)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.

However, as soon as I exit the debug mode and run freeradius as a daemon (systemctl start freeradius), freeradius still works as expected, but the mail no longer gets sent out.
Everything else works just fine (users can hop onto the WiFi, etc.).

Am I missing something here? Any help is appreciated!

Best regards,

Calvin