Oh, these are neat ideas, I hadn’t thought of that!
One concern might be expiring access credentials (not sure if most OSes will re-prompt for a new password or just give up), but you could just make the EAP credentials per-user instead and redirect users to the captive portal again once needed.
This leaves clients not supporting WPA-EAP, but these could just continue using the regular unencrypted/MAC-authenticated service.
That’s what Passpoint (aka Hotspot2)’s Online Sign Up is supposed to do. Main network is protected by WPA2/3-Enterprise (aka EAP), and there’s the OSU open network where you can get signed up and get a profile installed for the full main network. And every modern device supports EAP these days.
Well, the customer also needs to futz around with scanning a WR code, and get it from the device she scanned it on to the device she wants to use the wifi on (if they ain't the same.)
Though you could route around these problems, but giving them both a scannable code, and underneath some credentials as plain text they could type.
One concern might be expiring access credentials (not sure if most OSes will re-prompt for a new password or just give up), but you could just make the EAP credentials per-user instead and redirect users to the captive portal again once needed.
This leaves clients not supporting WPA-EAP, but these could just continue using the regular unencrypted/MAC-authenticated service.