As of ArubaOS 6.5, you can send a radius reply message attribute that will be displayed both on internal and external captive portals. You would just have to send a reject as usual from the radius server, but populate the reply-message attribute.
http://www.arubanetworks.com/techdocs/ArubaOS/6.5.x.x/Default.htm#ReleaseNotes/FeaturesIn6.5.xReleases/Features6.5.x.htm%3FTocPath%3D_____2
Here is how a rejection mesage looks on internal cp:
Here's how a rejection message looks on an external captive portal, like clearpass:
You would just have to return the radius reply-message attribute with either a positive or negative auth.
When it is added to a positive authentication, the message is displayed on the "welcome" screen of captive portal:
To enable logging to look at what reply message has been received, you can type:
config t
logging level debugging system process httpd subcat webserver
You would then type "show log system 50", and the message might look like this:
Failure:
Jul 19 02:49:16 :32674: <399828> <DBUG> |httpd| |webserver| aruba-login.c:612) User:2001:470:ed6c:0:a9ac:30c0:359e:903c - Auth result 1 reason Authentication failed, as password is wrong on server1
Success:
Jul 19 02:53:09 :922: <399828> <DBUG> |httpd| |webserver| aruba-login.c:740) User:2001:470:ed6c:0:a9ac:30c0:359e:903c - Internal welcome success message User has authenticated successfully from first server1
I hope that helps.