run it in full debug mode (radiusd -X) and look at the packet flow for the client. you will see the key differences bewteen an inner-tunnel method (eg PEAP) and EAP-PWD - I think you'd face the same issue with EAP-TLS - as you already says, and the debug output will show the flow - inner-tunnel is not called because its not used for that method - look at the eap module config that does all this - for TTLS and PEAP you tell the server about inner-tunnel, so it uses it..... Well, that's exactly my point. You do have to configure an inner tunnel for EAP-pwd and the authorize section of the inner tunnel is actually called and you can do stuff within the authorize section of the inner tunnel, however, when you do something that updates the request with a reject, that reject is not used by the outer session. Or maybe I'm misunderstanding what you mean.
Christian