On Tue, Sep 15, 2009 at 8:31 AM, Alan DeKok <aland@deployingradius.com> wrote:
 Then it has to go into a Reply-Message attribute.

 Unless you're doing EAP.  In which case you have to extend the EAP
authentication method to handle sending messages inside of EAP.

http://wiki.freeradius.org/Radiusd.conf
Has a short section discussing the "Expiration module" (Which didn't seem to exist in my config)
Copied that into my config, set up a user with an "Expiration" attribute of last month, and voila,
 
rad_recv: Access-Reject packet from host xxx.xxx.xxx.xxx port 1812, id=31, length=44
    Reply-Message = "Password Has Expired\r\n"

Thanks guys, now to get the front end co-operating.

~Justin