freeradius exec module only works in debug mode (freeradius -X)

marki jm+freeradiususer at roth.lu
Mon Aug 14 14:46:42 UTC 2023 

Have you run tcpdump in parallel to see whether it connects to the mailserver at all?

On August 14, 2023 4:41:26 PM GMT+02:00, "Härtl, Calvin" <Calvin.Haertl at stud.hs-coburg.de> wrote:
>
>Hi all,
>
>first of all, thank you for all the time and effort you have put into the Freeradius project!
>
>Sadly, I have run into a small issue, that I cannot figure out why it happens:
>
>In my sites-enabled/default file, I have written a small „Info Mail“ script, which basically just sends out an email with the rejected MAC address of a client:
>
>#First I check if the device MAC address is in my database, if not, send out a mail and reject the Access-Request
>if("%{sql:SELECT COUNT(*) FROM hw WHERE macad1 = '%{Calling-Station-ID}' OR macad2 = '%{Calling-Station-ID}' OR macad3 = '%{Calling-Station-ID}'}" == 0){
>
>                %{exec:/usr/bin/sh -c "echo Unknown device '%{Calling-Station-ID}' at '%{Called-Station-ID}'. This device received a timeout of 5 minutes! | mailx -a 'From:radius001 at stud.hs-coburg.de' -s '*** Security-Message ***' Calvin.haertl at stud.hs-coburg.de;echo NAC was activated!"}
>
>                reject
>        }
>
>In the debug mode (freeradius -X) everything works out great, and the mail gets sent out:
>
>rlm_sql (sql): Reserved connection (1)
>rlm_sql (sql): Released connection (1)
>rlm_sql (sql): Reserved connection (2)
>rlm_sql (sql): Released connection (2)
>rlm_sql (sql): Reserved connection (3)
>(0)     Executing select query: SELECT COUNT(*) FROM hw WHERE macad1 = '54:99:63:c0:11:4a' OR macad2 = '54:99:63:c0:11:4a' OR macad3 = '54:99:63:c0:11:4a'
>rlm_sql_postgresql: Status: PGRES_TUPLES_OK
>rlm_sql_postgresql: query affected rows = 1 , fields = 1
>rlm_sql (sql): Released connection (3)
>(0)     EXPAND %{sql:SELECT COUNT(*) FROM hw WHERE macad1 = '%{Calling-Station-ID}' OR macad2 = '%{Calling-Station-ID}' OR macad3 = '%{Calling-Station-ID}'}
>(0)        --> 0
>(0)     if ("%{sql:SELECT COUNT(*) FROM hw WHERE macad1 = '%{Calling-Station-ID}' OR macad2 = '%{Calling-Station-ID}' OR macad3 = '%{Calling-Station-ID}'}" == 0) -> TRUE
>(0)     if ("%{sql:SELECT COUNT(*) FROM hw WHERE macad1 = '%{Calling-Station-ID}' OR macad2 = '%{Calling-Station-ID}' OR macad3 = '%{Calling-Station-ID}'}" == 0) {
>(0)       Executing: /usr/bin/sh -c " echo Unknown device '%{Calling-Station-ID}' at '%{Called-Station-ID}'. This device received a timeout of 5 minutes! | mailx -a 'From:radius001 at stud.hs-coburg.de' -s '***Security-Message***' Calvin.haertl at stud.hs-coburg.de;echo NAC was activated!“:
>(0)       Program returned code (0) and output 'NAC was activated!'
>(0)       EXPAND %{exec:/usr/bin/sh -c "echo Unknown device '%{Calling-Station-ID}' at '%{Called-Station-ID}'. This device received a timeout of 5 minutes! | mailx -a 'From:radius001 at stud.hs-coburg.de' -s '*** Security-Message ***' Calvin.haertl at stud.hs-coburg.de;echo NAC was activated!"}
>(0)          --> NAC was activated!
>(0)       [reject] = reject
>(0)     } # if ("%{sql:SELECT COUNT(*) FROM hw WHERE macad1 = '%{Calling-Station-ID}' OR macad2 = '%{Calling-Station-ID}' OR macad3 = '%{Calling-Station-ID}'}" == 0) = reject
>(0)   } # authorize = reject
>(0) Using Post-Auth-Type Reject
>(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
>(0)   Post-Auth-Type REJECT {
>(0) attr_filter.access_reject: EXPAND %{User-Name}
>(0) attr_filter.access_reject:    --> asd
>(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
>(0)     [attr_filter.access_reject] = updated
>(0) eap: Request was previously rejected, inserting EAP-Failure
>(0) eap: Sending EAP Failure (code 4) ID 1 length 4
>(0)     [eap] = updated
>(0)     policy remove_reply_message_if_eap {
>(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
>(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
>(0)       else {
>(0)         [noop] = noop
>(0)       } # else = noop
>(0)     } # policy remove_reply_message_if_eap = noop
>(0)   } # Post-Auth-Type REJECT = updated
>(0) Delaying response for 1.000000 seconds
>Waking up in 0.2 seconds.
>Waking up in 0.6 seconds.
>(0) Sending delayed response
>(0) Sent Access-Reject Id 92 from 10.11.1.17:1812 to 10.11.17.249:60492 length 44
>(0)   EAP-Message = 0x04010004
>(0)   Message-Authenticator = 0x00000000000000000000000000000000
>Waking up in 3.9 seconds.
>
>However, as soon as I exit the debug mode and run freeradius as a daemon (systemctl start freeradius), freeradius still works as expected, but the mail no longer gets sent out.
>Everything else works just fine (users can hop onto the WiFi, etc.).
>
>Am I missing something here? Any help is appreciated!
>
>Best regards,
>
>Calvin
>
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list