Hi Alan,
We're not using captive portal on wired but we are doing wired 802.1x with ClearPass. We use Cisco 3850 and 3750E switches and currently have a "profiler" vlan/subnet set up where devices go if they've never been profiled. Once profiled, CP bounces the port and it goes back through 802.1x auth with MAB (mac auth bypass) for devices such as IP phones, printers, etc. CP sends a RADIUS CoA message back to switch to set the interface to a particular vlan and bounce it, forcing re-auth. One thing you may want to consider instead of using different vlans/subnets is to use one (or at least consolidate) and send downloadable ACLs to the switch to apply per-port based on the security requirement. We ended up running into issues with vlan switching that we were able to resolve using the DACL method.
We also have Palo Alto firewalls that are set up and integrated with ClearPass--works well as far as I know, though I haven't spent a lot of time in the PANs lately.
Let me know if I can help at all.