A log-on and redirect is out of my league, but here's what I think I know:
FreeRADIUS can serve as the basis for your scenario, authenticating users against a database or a simple list using passwords or certs, but I think you'll need more pieces to complete the picture.
I found a package that's free for 4 concurrent users, and reasonable for a commercial license.
http://www.mondru.com/hotspotd.html Check out the Hotspot Daemon package. Alternatively, there are APs with this kind of feature set built in. An example -
http://www.us.zyxel.com/products/mod...lue=1021876859
Another consideration is encryption. 802.1x lets you control access, but does not protect the data stream. EAP-TLS with dynamic keys lets you avoid the hassle of passing out WEP keys to each client, but you still have to deal with certs.
EAP-MD5 uses a username/password, so is simpler to administer, but is vulnerable to man-in-the-middle and dictionary attacks. Microsoft removed MD5 from XP in SP1 because of this, so using it as an authentication method would require a third part supplicant.
Not sure any or all of this answers the question. Maybe someone else with RADIUS or hotspot experience can jump in and correct me.
edit - I overlooked an obvious choice for the captive portal portion. NoCatAuth seems to provide the front end you'll need for the RADIUS back end.
http://nocat.net/