Are you using hotspot functionality?
Nope, we use mainly PPPoE or DHCP for users
Any ideas ?
My users, if not pay, receive one SMS instead of blindly disable the connection.
If still not pay, after 7 days we call the user.
If not answer and still not pay, after 7 days receive another SMS and the connection is completely blocked.
If still not pay, after 7 days the
debt collection institution intervenes, and then the law court.
Yes - we are using SMS warning, it works very good, but still many of the companies preffer to have that kind of screen with instructions for user - where and how can they pay and so on.
The modern way is to reject their auth request via AAA/RADIUS, that's it. With DHCP of course, you need to configure additional options for security.
But rejecting AUTH will lead to no internet I guess, some devices like Huawei routers have option to redirect user to some SITE for information - thou we don't know how they do it
You can use DNS server which have functionality to reply for IP list of such users that for any DNS request reply same IP (IP of your web server hosting that page), like DNS spoofing. This will partially work, if some website replying with HSTS header and user has already visited that page browser will remember that and still return warning that connection is not secure, but if host is visited for the first time, not in browser cache or web is not setting HSTS header it will work.
You can try it by simply in your hosts file add IP of your local webserver for some host.domains and see in your browser how it works.
Edit: Also you will need for that on router hairpin nat for DNS port and IP of your DNS server.
Edit2: Maybe you not need to find DNS server which can respond per IP, just setup additional DNS server which will return for any request same IP and you can dynamically manage on router hairpin nat rules for IP addresses that are blocked. Still HSTS issue persist...
DNS Redirect was one of the ideas we thing about. It should be pretty simple to setup a DNS server with FAKE zones inside, all leading to same IP. Thou I was worried about the DNS cache in end user routers / PCs, but now you say there is another problem like HSTS, so maybe it will not work 100%