This will show my lack of experience with radius. I currently have a method setup so that when a user is not in radius he gets the signup page and within 10 minutes of signing up his mac is placed into radius and can then get online. If this user does not pay and I remove him from radius, is there a way to keep him from viewing the signon page again and just resigning up gaining access again until I delete from radius again? I could use the same script that adds people from MySQL to radius to create a firewall rule against macs that I have chosen, but I would rather do everthing from radius.

Does radius give a different response if the user exists in radius and only has a different password compared to a user not existing at all?

This would be some logic in your signup page to recognize an unpaid account and simply refuse the new attempt to signup.

Ok. It seems like for my setup to make a firewall script works best. Can you tell me if this is correct, it doesn't seem to be working? These are two lines in the fw.

iptables -A INPUT --match --mac-address 00:e0:98:7f:b8:cf -j LOG --log-level 6
iptables -A INPUT --match --mac-address 00:e0:98:7f:b8:cf -j DROP