Is it possible to distinguish between expired and revoked certificates and assign a special vlan in the first case while rejecting the user in the second one?
As in both cases the certificate is invalid, I suppose the answer is no.

The probably best way  would be to organize the the renewal of certificates appropriately.


With best regards,


Norbert Wegener