Crosspost [hostap, freeradius] Can I send "temporary failure" or "wpa tls has failed, so shove them on a vlan" ?

[Christ Schlacta]

I want an option to do some sort of "your authentication is pending 
administrative approval.  a message has been sent to the administrators, 
please try again in a few minutes".  AND an option to sya "your 
authentication has failed completely, I'm sending you to a separate 
vlan"  namely, the situation is as follows:

I've got an interface available on a separate AP to allow users to 
register for and acquire a certificate.  The certificate is bound to a 
single hostname and mac address.  THere are two failure conditions:

1) the user has bad or no credentials
in this case the user should be sent to a captive vlan where all they 
can do is connect to the registration webpage to acquire a certificate 
and bind it to their wifi MAC address.

2) the user has good credentials but fails "MAC" authentication.
The mac address will go through some level of processing, which will 
result in either "adding" the mac address to their account and 
succeeding, or triggering a "We have to send a request for review to the 
administrators" and sending the user to a separate vlan with a "explain 
why you have so many MAC addresses" website.

Not sure how to configure hostapd and freeradius together to do this.