Answering your quetsion do you have clear the box of Allow only one active user session? on the captive portal authentication profile?
Just as recommendation, just putting EAP TLS is more secure than doing those things. It is not possible to put this kind of authentication?
Maybe using quickconnect to onboard them all as they are all using IOS devices.. i mean that way you wont have to buy all the clearpass if you don thave money for it.