captive portal is not going to work.
Can you elaborate? Why?
revoke the certificate if the router is lost/stolen
This isn't really a good defense against someone with physical access to the router. I'm less concerned about theft and more concerned about possible unauthorized use by others who may have physical access to where the router is stored.
Use SSL/TLS + User auth
How can I do this with a voip phone I'm attaching via one of the ports on an sg-3100 that needs vpn'd access to a non-public phone switch? I can certainly do openvpn connections with password protected certs - in fact this is what I use for my other remote access clients.
I'd like to use the sg3100 to provide vpn services for other hardware that can't do vpn services for itself, and I'd like it to take a user supplied password for initial connection to prevent casual access by unauthorized people.
At this point, I'm leaning toward password-saved-in-the-router ipsec vpn for JUST the voip phone and software (openvpn client) on the laptop.
I was just hoping to find some way to do both with the hardware. Thanks for your suggestions.