I think as I'm using digital certificates (EAP-TLS) to authenticate users, and the user has a valid one, if there aren't any aditional checks in radcheck, the user has already been authenticated due to the certificate, and is allowed to enter the network. Is that right?
Yes. But you can still reject them before the certificate is validated. Or, you can have a Certificate Revocation List that marks their certificate as invalid.
If that's the case, I think about using the exec module to call a external shell script which checks if 'UserName' is included in my database, and if it's not, modify 'UserName' to something like 'Unauthorized', user that will be in a group with an 'Auth-Type = Deny'. Do you think there's an easier way?
See "rlm_exec". Run the script, and have the script print "Auth-Type := Reject" to stdout if the user isn't found. That should cause them to be rejected. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog