Thanks for your fast response.
I already have SSID profile configured exactly like that - WPA2 &AES encryption. Only reason for having open type SSID like captive portal was to present a welcome page with AUP and logo, because some clients at the time could not digest internal certificate easily, which they had to ignore. So much for captive portal - never knew it would hog the CPU as it did.
Now, re digital certificate which one to use:
- internal self signed one generated on radius server (has to be ignored by clients)
or
- wild card validated domain style certificate used on web servers (not working)
or
- some other type that all clients will be happy with (laptops included as they have no way to verify it before they connect to wifi)?