Hey, guys!
imagine the scenario that follows:
I thought about using captive portal, but it has support for clients that have a browser. I need IoT devices (which don't have a screen or browser) to be hit too!
How can I do this? Can anyone help?
Thank you!
monowall had a neat password per segment walled garden feature for such a scenario...
depending on the IoT device... your options will vary. but based on what you've written, i'm struggling to know why or how you'd think a second layer could be implemented...
basic programmable devices speak http/udp/mqqt/etc fine... light bulbs on the other hand? Good luck 
How did you think doing that authentication, if the client has no IP address???
Second authentication? By which component? WiFi hostapd knows about SSID etc.., but not much more.
What scenario you are thinking?
Rogue device knows WiFi password, so why would it not know the second password? Is there some config to be done, or what are you trying to accomplish?
Some ideas for you:
So, the environment is emulated
In this scenario, I want to test a transaction for a private blockchain as soon as a new device get in the wlan.
Since the mac for that address is already on the blockchain, I want to release access, otherwise I want to generate an alert
the transaction needs to contain the mac address of the customer who entered the password, so I need to know his mac and I need to keep it without traveling until I check if it is a device that my network already knows.
I hope it's clear enough
thanks for answering