No, you cannot. Traffic on the subnet behind the router doesn’t go through the router, so the Hotspot cannot control it.
You can firewall/filter on the edge - for example, turn off default forwarding on the AP - and generally prevent users from talking to one another even after authentication, though.
I haven’t tried “on association” per se, but you can certainly dump users into a .1x environment where no ip connectivity is allowed until the “user” is “authenticated” via some means. I support networks where simple mac auth is used for similar purposes to yours.
Billing is done on the Hotspot. What you want is impossible to do natively on the Hotspot. Again, the Hotspot runs on the layer 3 hop. The layer 3 hop cannot control traffic on the broadcast domain behind it.
Either move the resources to a different broadcast domain, or run a Hotspot on every AP (making each AP its own layer 3 hop).
run a Hotspot on every AP
Works for me 
I prefer ‘access control’ to start where ‘access’ starts.
By using RADIUS (User Manager does that) instead of local accounts.
You attach all the APs to the User Manager instance like you would attach a single AP. Exactly the same procedure.
radius server is the best method with centralized you can go for hosted service just add the IP of the radius server in all AP’s and you are ready to go you can management the users in radius GUI and set speed limits and data transfer like quota etc…
if you need more info just contact me.
We are using 895 router with single radius server with country wide host spot deployment.
Birender
You configure the RADIUS servers under /radius, and then turn on RADIUS use in the Hotspot Server Profile.
request for the username/password before they associate at all
Are you talking about WPA/WPA2 Enterprise, where you supply credentials unique to the user before associating with the AP, or are we still talking about logging into a Hotspot network via the login page served in a browser after you’ve already associated with the Hotspot network via wireless?
You’re making it harder for yourself.
Allow anybody to associate - protect it with WPA2-AES if you like - but then ask them to Log In thru a HotSpot Splash page.
If they ask why 2 passwords, say ‘Security’.
Then you can use Radius etc with ease.
How are they going to purchase access if they can’t associate and bring up the sign up page?
http://wiki.mikrotik.com/wiki/Manual:Interface/Wireless#WPA_EAP_properties
http://wiki.mikrotik.com/wiki/User_Manager/Wireless_Example
I don’t use Mikrotik radios for wireless but those seem related.
Maybe make a new topic asking how to do WPA/WPA2 Enterprise since the title of this topic doesn’t match that at all.