Well for guest you can use as you said the captive portal... if you use the internal database.
When you making the guest wireless you can try this:
1-In the role you using after the captive portal authentication put a role in which it just have access to the internet and it does not have access to anything in the internal network, you can do that with the roles.
2-Try Natting so the network you using does not exist in your internal network, let say 172.16.3.0/24 let say that network does not exist in your network, well then use that one and nat through the IP of the AP i don tknow if you get the idea?
3-You can periodically change the password of guest... as it does not automatically expire like with the controller..... I asled for this feature, you can vote for it on the ideas tab, if it get lot of kudos they might put it on future releases.