Auth-Type :- Reject in RADIUS users file matches inner tunnel request but sends Access-Accept

I have WPA2 802.11x EAP authentication setup using FreeRADIUS 2.1.8 on Ubuntu 10.04.4 talking to OpenLDAP, and can successfully authenticate using PEAP/MSCHAPv2, TTLS/MSCHAPv2 and TTLS/PAP (both via the AP and using eapol_test). I am now trying to restrict access to specific SSIDs based on the LDAP groups which the user belongs to.

I have configured group membership checking in /etc/freeradius/modules/ldap like so:

groupname_attribute = cn
groupmembership_filter = "(|(&(objectClass=posixGroup)(memberUid=%{User-Name}))(&(objectClass=posixGroup)(uniquemember=%{User-Name})))"

and I have configured extraction of the SSID from Called-Station-Id into Called-Station-SSID based on the Mac Auth wiki page. In /etc/freeradius/eap.conf I have enabled copying attributes from the outer tunnel into the inner tunnel, and usage of the inner tunnel response in the outer tunnel (for both PEAP and TTLS). I had the same behaviour before changing these options however.

copy_request_to_tunnel = yes
use_tunneled_reply = yes

I'm running eapol_test like this to test the setup:

eapol_test -c peap-mschapv2.conf -a 172.16.0.16 -s testing123 -N 30:s:01-23-45-67-89-01:Example-EAP

with the following peap-mschapv2.conf file:

network={
    ssid="Example-EAP"
    key_mgmt=WPA-EAP
    eap=PEAP
    identity="mgorven"
    anonymous_identity="anonymous"
    password="foobar"
    phase2="autheap=MSCHAPV2"
}

With the following in /etc/freeradius/users:

DEFAULT Ldap-Group == "employees"

and running freeradius-Xx, I can see that the LDAP group retrieval works, and that the SSID is extracted.

Debug:   [ldap] performing search in dc=example,dc=com, with filter (&(cn=employees)(|(&(objectClass=posixGroup)(memberUid=mgorven))(&(objectClass=posixGroup)(uniquemember=mgorven))))
Debug: rlm_ldap::ldap_groupcmp: User found in group employees
...
Info:        expand: %{7} -> Example-EAP

Next I try to only allow access to users in the employees group (regardless of SSID), so I put the following in /etc/freeradius/users:

DEFAULT Ldap-Group == "employees"

DEFAULT Auth-Type := Reject

But this immediately rejects the Access-Request in the outer tunnel because the anonymous user is not in the employees group. So I modify it to only match inner tunnel requests like so:

DEFAULT Ldap-Group == "employees"

DEFAULT FreeRADIUS-Proxied-To == "127.0.0.1"
        Auth-Type := Reject, Reply-Message = "User does not belong to any groups which may access this SSID."

Now users which are in the employees group are authenticated, but so are users which are not in the employees group. I see the reject entry being matched, and the Reply-Message is set, but the client receives an Access-Accept.

Debug: rlm_ldap::ldap_groupcmp: Group employees not found or user is not a member.
Info: [files] users: Matched entry DEFAULT at line 209
Info: ++[files] returns ok
...
Auth: Login OK: [mgorven] (from client test port 0 cli 02-00-00-00-00-01 via TLS tunnel)
Info:   WARNING: Empty section.  Using default return values.
...
Info: [peap] Got tunneled reply code 2
        Auth-Type := Reject
        Reply-Message = "User does not belong to any groups which may access this SSID."
...
Info: [peap] Got tunneled reply RADIUS code 2
        Auth-Type := Reject
        Reply-Message = "User does not belong to any groups which may access this SSID."
...
Info: [peap] Tunneled authentication was successful.
Info: [peap] SUCCESS
Info: [peap] Saving tunneled attributes for later
...
Sending Access-Accept of id 11 to 172.16.2.44 port 60746
        Reply-Message = "User does not belong to any groups which may access this SSID."
        User-Name = "mgorven"

and eapol_test reports:

RADIUS message: code=2 (Access-Accept) identifier=11 length=233
   Attribute 18 (Reply-Message) length=64
      Value: 'User does not belong to any groups which may access this SSID.'
   Attribute 1 (User-Name) length=9
      Value: 'mgorven'
...
SUCCESS

Why isn't the request being rejected, and is this the right way to implement this?