RADIUS mac filter / authentication before giving out a DHCP IP

I am trying to configure an SSID to perform RADIUS mac authentication before the device is given an IP address.

This is being used in conjunction with uspot (captive portal) so that already authenticated devices are already "authenticated" before the device is able to check for a captive portal and open a popup to login.

I am trying the following in my wireless config (I am using wpad-full and iw-full packages), and although it does perform the RADIUS auth, it doesn't seem to matter if I reject with an Access-Reject or Access-Accept and still gives the user an IP regardless.

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'hotspot'
        option mode 'ap'
        option ssid 'TEST'
        option encryption 'none'
        option server 'x'
        option port '1812'
        option secret 'x'
        option acct_server 'x'
        option acct_port '1813'
        option acct_secret 'x'