Missing some valuable information here, but this seems to be an issue with the authz policy the client is hitting during authz. I would start with double checking the authz profile that is assigned as the result. Also, this could be possible if the client/s are hitting the default catch all policy which is resulting in the reject. Additional info that would aide the community includes:
-Detailed radius live log steps
-Type of auth (dot1x/mab?)
-AAA/interface config