I am looking for a way to control access through a firewall based on an external script. In the past I have used squid as a transparent proxy through shorewall with an external_acl.

This way seems too complex. Is there any program out there that can use an external script, similar to external_acl in squid, to do access control?

I was looking in shorewall, but all I see is MAC control, and no way to redirect to an authentication website running on the router if the MAC check fails.

Does anyone know of a way I can do this?

To REDIRECT, make a chain in the nat table specially for the MAC check and make the last rule a REDIRECT

If you are controlling M$ clients, you can setup squid for auth_ntlm.
The clients will then silently auth to a domain controller/samba using their login credentials
Closing the browser will close the auth session..

Is there a way to make the redirect dynamic? What I really want to be able to do is have a php script that checks the source and destination and chooses whether to redirect, accept, or deny based on those.

Is there a way to set up a chain to do this?

Sure, that's always possible, with a few security caveats..

The iptables rules can be loaded, added, removed dynamically..
That could be scripted via php or perl from a webpage on the firewall or remote.
Rules need to be operated on as root user, which is the security risk.. allowing a script that much privelege..

A typical example would be only allowing web access to users that have dhcp leases in group "web"..

Have a look at the iptables tutorial for a broad overview of what's controllable.
There's also a netfilter patch-o-matic system to build even more features..