First you’ll need a group that all your disabled clients are going to.

Next add the following lines to the user file “/etc/raddb/users”.  Change SQL-Group to Group if your groups are not in a SQL database.

DEFAULT SQL-Group == "disabled", Auth-Type := Reject
 Reply-Message = "Your account has been disabled."

Save, exit and test.

This should keep all clients in the disabled group from authorizing.