How to integrate a custom external captive portal with a RADIUS-enabled firewall so authenticated users gain network access?

Question

I have a setup where a firewall (which supports RADIUS-based captive portal authentication) currently provides a built-in captive portal. Normally, when a user connects and attempts to browse, the firewall intercepts their traffic, presents its captive portal page, and upon receiving valid RADIUS Access-Accept, grants the user network access.

However, I’ve built a custom external captive portal workflow:

• Frontend (React): A custom login page served to the user.
• Backend (Go): Handles the login request. The backend sends an Access-Request to the RADIUS server and receives either Access-Accept or Access-Reject.

While my backend successfully authenticates the user against RADIUS, the firewall does not automatically know the user is authorized because the authentication isn’t happening directly via the firewall’s internal process. Without the firewall seeing the Access-Accept itself (or being explicitly notified), the user’s network access remains restricted.

Questions:

How can I notify the firewall that the user is now authenticated so it can lift the captive portal restrictions? Are there standard approaches or protocols for this scenario?

Many firewalls support an “external captive portal” feature where after successful authentication, the portal can redirect or send certain parameters back to the firewall. How can I implement this handshake so the firewall acknowledges the user as authenticated?

Alternatively, can I use RADIUS Change of Authorization (CoA) packets to inform the firewall that the user’s authorization has changed, or are there other API calls or integrations that allow updating the firewall’s state?

I’d appreciate guidance, best practices, and examples from anyone who has integrated custom external captive portals with RADIUS-enabled firewalls (Fortigate, Cisco, Aruba, pfSense, etc.) so that authenticated users automatically gain full network access.