Here is a simple one, used as login.html on a MT. This one does not quite work as I described; in this case, the client based redirection only happens on the MT -> server link, does not involve radius, and the server does not send back further javascript. The actual enabling is done via a persistant SSH session into the MT, disabling the hotspot, and seting it up for standard service (semi-permanent activation of apartment-unique VLANs). The one I described above will take some more time to redact, I'll take a look in the morning.
<html>
<head>
<title> Please wait... </title>
<form name="redir" action="http://www.fsr.com/XXXXXXX/signup.asp" method="post">
<input type="hidden" name="VLan">
<input type="hidden" name="MTIP">
</form>
<script language="JavaScript">
re = /(.*)\.(.*\..*\..*\..*)/;
res = re.exec("$(hostname)");
document.redir.VLan.value = res[1];
document.redir.MTIP.value = res[2];
document.redir.submit();
</script>
</head>
<body>
JavaScript must be enabled in your browser in order to use the auto-signup system.
<p>
If you can not or will not enable JavaScript,
please call First Step at (XXX)XXX-XXXX to manually activate service.
</html>
I'm also abusing the "$(hostname)" variable given by the hotspot, to pass extra info back to the client. Here is an example of the "DNS name" field from one of the hotspot profiles, which the regex in the javascript cuts apart:
1105WestA-Apt407.64.126.xxx.yyy
The part before the first "." is the name of the VLAN interface to mess with, and the rest is the IP address of the MT on which to mess with the VLAN (which the server uses as a referance to a COM object it maintains, which represents a persistant SSH session to the MT. "safe mode" is used as a lock, to prevent multiple servers from operating on the MT at the same time, as well as making the changes atomic).
Ahhh, Byzantine hackery, gotta love it.
--Eric