1. Edit "raddb/dictionary" to define a local attribute to store the data

ATTRIBUTE       Eduroam-Enabled         3010    string

2. Modify "ldap.attrmap" to copy your LDAP attribute into this local RADIUS attribute:

replyItem       Eduroam-Enabled         haDirittoEduroam

3. Check the attribute like so in "sites-enabled/inner-tunnel":

authorize {
 ...
 ldap
 if (reply:Eduroam-Enabled != "Y") {
   reject
 }
 ...
}

 With this reject command in the authorize section is there a method to supply a custom reply message?

An observation I made with the if statement as above, if the attribute is not present on the user object it will evaluate false, thus allowing the user access.
Thu Sep 20 14:31:23 2012 : Info: ++? if (reply:RadiusAccess != "TRUE")
Thu Sep 20 14:31:23 2012 : Info:     (Attribute reply:RadiusAccess was not found)
Thu Sep 20 14:31:23 2012 : Info: ? Evaluating (reply:RadiusAccess != "TRUE") -> FALSE
Thu Sep 20 14:31:23 2012 : Info: ++? if (reply:RadiusAccess != "TRUE") -> FALSE

This can prevented by following Phil's suggestion to only search for users with the required attribute
filter = "(&(cn=%{%{Stripped-User-Name}:-%{User-Name}})(rADIUSEnableDialAccess=*))"

 
 
 
There are probably other ways to do it, including using an "xlat" to lookup the attribute i.e. variation of step 2, or modifying the ldap queries to only "see" those users.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html