Open network with MAC authentication.
SSID A would be MAC authentcation with allow all MAC, look for a valid MAC in the repository and active guest account. If false, would send back a role which launches a captive portal to register.
SSID B would be MAC authentication as well but would not be set for allow all MAC auths. It would look for an endpoint entry. If not found, would send back a user role to launch a captive portal with an AD over LDAPs login prompt. Upon successful authentication, the MAC would be added to the repository.
We're basically trying to get away from dot1x because of local password caching being an issue when users are forced to change their passwords (We're using EAP PEAP w/MSCHAPv2 right now). SSID A is a guest network, SSID B would be for staff. EAP-TLS is my preferred dot1x option, but I'm not sure if we're going to go in that direction at this time.