Ok, maybe I missed the explanation.
We've already have an WPA2-AES VAP with both machine and user authentication. The problem comes with non-Windows clients (iOS, Androids), or Windows clients that are not part of our corporate AD. I would prefer not to deal with them, but I have no choice. And also, with some equipment with no users at all (electrocardiographers, for example).
So, the solution Ithink about was a VAP with WPA2-PSK, with:
- some ACLs permiting traffic to those servers used by that kind of equipment.
- a captive portal, with both radius and internal database for authenticating users.
My aim is not to deploy many VAPs. We already had three VAPs previosly: voice, corporate equipment, and guest access. So I would like to integrate both solutions (non-802.1x equipment and other OSs) in only one more VAP, so I think about this solution. And also keep a simple configuration that could meet the requirements of other vendor controllers I have on another sites, and have a similar WLAN deployment to easier the support.
I would appreciate your thoughts about this question,
many thanks,
Jose