Is it possible to distinguish between expired and revoked certificates and assign a special vlan in the first case while rejecting the user in the second one?
As in both cases the certificate is invalid, I suppose the answer is no.
The probably best way would be to organize the the renewal of certificates appropriately.
With best regards,
Norbert Wegener