the scenario is this:
client-wlc-RADIUS-captive-portal
client connect to SSID, WLC sends authentication request to RADIUS, RADIUS authenticate every user because is MAB, and include ACL and URL-REDIRECT parameters in ACCESS-ACEPT. the client is redirect to CAPTIVE PORTAL, once they click on accept terms and conditions, this action makes send a CoA to the WLC in order to change the ACL for the client, for an ACL with permit all.
this is because i need dns-based acl in the WLC. is a cisco bug, they only accetp urls in the acl instead of ip address when this ACL is a radius attribute, if you apply the ACL directly, only ip address are supported in the ACL, so if i want to permit login with facebook, i can't open all facebook ranges and akamai, so my only option is to use RADIUS, only to pass this two attributes, ACL and URL, and once the client click on submit or login with facebook, i will write an script to send the CoA to the WLC, and change the ACL in order to permit all the traffic to internet.