To make the decision at the access point, you'd use an AP that supports VLAN tagging based on SSID. You'd define one SSID for unauthenticated Internet access (VLAN #1), and another SSID for authenticated private network access (VLAN #2). You'd need to connect your APs to a VLAN-capable switch to relay VLAN #1 traffic in one direction, VLAN #2 traffic in the other direction. You'd send VLAN #1 traffic through a web portal, for example NoCatSplash, to display your disclaimer page.
To make the decision at a wireless gateway/switch, you can use any AP and one or more SSIDs (depending on your desired link layer security architecture). The gateway/switch will be responsible for acting as the web portal, displaying a login page, letting guests "click through" without authenticating, providing real user authentication for others, and enforcing role-based access control. Many wireless gateways and switches can also apply VLAN tags based on authenticated role. Andy Dornan wrote a nice overview of WLAN gateways and switches for Network Magazine; you'll find plenty of vendor product URLs there.
This was first published in September 2004