When FreeRADIUS is configured to use the 'unix' module and shadow passwords, the password expiration field is ignored. This could allow a user with an expired password to authenticate against FreeRADIUS.
This was corrected upstream:
And was also corrected in Red Hat Enterprise Linux 6 via RHBA-2012:0881:
This issue affects the version of freeradius and freeradius2 as shipped with Red Hat Enterprise Linux 5.
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2013:0134 https://rhn.redhat.com/errata/RHSA-2013-0134.html