captive portal, authentication source - local db + active directory, post auth populate endpoints database with mac - send CoA, subsequent auth with mac.
mac needs to be taken out of the portal redirect url, users typing this in themselves asking for trouble