WLAN Freeradius Auth

[SlavesZeroes]

Dear all, 


I've setup my little hotspot for our office. And offcourse for security
reason, only mac address listed in radius users can have internet access.
With Lucent Orinoco AP-1000, i've checked enable radius access control and
then setup my free radius. My radius setting :

00601d-f4ae15 Auth-Type = Local, Password = "testing123"
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Framed-Routing = Broadcast-Listen,
        Framed-MTU = 1500,
        Framed-Compression = Van-Jacobson-TCP-IP

but when i try to change the setting, for testing only : 

00601d-f4ae15 Auth-Type = Reject, Password = "testing123"
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Framed-Routing = Broadcast-Listen,
        Framed-MTU = 1500,
        Framed-Compression = Van-Jacobson-TCP-IP


They still can have an access to outside, my radius log says : 

Auth: Login incorrect: [00601d-f4ae15/testing123] (from client ap port 0). 

and i try to ping to that station, it says reply : 
PING 192.168.0.254 (192.168.0.254): 56 data bytes
64 bytes from 192.168.0.254: icmp_seq=0 ttl=64 time=0.840 ms


my question is, if mac address not listed in radius users or in REJECT
mode, they shouldn't get an access to Access Point,  and offcourse they
can't have ip address, but in my case, they still have an static ip
address and they can access to LAN and internet too. Can you help me ? 


Thanks