What I need to do is look for MS-CHAP-Error 648 (which means the password needs to be changed) and then add a different IP address and filter + DNS server information in order for the end-user to be redirected to a webserver.
Right now, the server can't change a proxied Access-Reject to an Access-Accept. Even if it could, RADIUS doesn't support sending DNS information.
Captive portal is not always possible.
E.g. our local telco (Telkom) supports the above scheme for capped accoutings. You may supply DNS servers via Radius attibutes to the NAS.
The NAS will then assign your DNS servers to the client in stead of the standard telco DNS servers.
You then setup your DNS servers to fake it, and supply your "topup page" IP address for and DNS request.
It is a silly scheme, but it is all they support.
And how is user supposed to open that "topup page" if he is looking for Google, for instance? What you want *is* a captive portal - it will capture the user and redirect him from the requested page onto the one you want him to see. Ivan Kalik Kalik Informatika ISP