You could do this by putting the users in a captive portal role after they authenticate. Then put an "accept" or "done" button at the bottom of the page which will put them into their final access role without a captive portal.
The downside of this is that until they click that button, all they can access is that splash page (or whatever else you allow) and this process will happen every time they reconnect.