Forcing authorization access-reject depending on attribute

[Mike Chamberlain]

Hi there.

I am using freeradius to authenticate users to a ChilliSpot wireless
hotspot.  It's backended by a SQL database and communicating using
stored procedures.  My problem is as follows.

On authentication, the user enters their username and password.  This
calls a stored procedure which returns the correct password, leaving
it up to the gateway to determine if the password they entered is
correct.  This is all no problem.

The problem arises on the authorization.  Even though the user may
have supplied the correct username and password, they may not have
enough credit to use the service.  The problem is that there is no
radius attribute that I can pass back to the ChilliSpot gateway to
indicate that the user should not be allowed service.  No matter what
attributes I add, the radius message is always an Access-Accept.  (For
VoIP people, what I really want is the equivalent of the
h323-return-code attribute, but sadly there doesn't appear to be
anything like this in the WISPr specification.)

I have been advised that it might be possible to return an arbitrary
Access-Reject if I use scripting.  I was thinking that perhaps it
would be possible for freeradius to examine a particular attribute in
the authorization response, and depending on the value change the
message to be an Access-Reject.  However, I am kind of stuck with this
as I am new to freeradius and have no idea where to start.  Does
anyone know whether this would be the correct approach?  If so, are
there any sites or examples to get me started on this?  If not, can
anyone think of a better way to accomplish what I am trying?

Thanks in advance for your help,

Mike