Captive portal on guest wifi BUT with open authentication

[FlashEngineer]

I'm wondering this for a while. If you have a secure setup, and have a separate guest wifi on it's own vlan with proper firewall rules etc, and run captive portal for that. But you keep the wifi open vs WPA2 so all users do is use captive portal for auth.

Is this safe enough or should there still be auth WPA2 (maybe simple 8 char pass-phrase) to connect to the network?

I see all hotels/hospitals/airports just have open auth and use captive portal..

 

[maze]

depends how much you care what is going on in your network or outbound towards the internet.

I personally have a seperate vlan with locked down imap, pop3, http, https and dns allowed outbound.

 

[FlashEngineer]

My point is, if they whoever connects to this SSID which has open auth, but don't know the captive portal password/user, then what damage can they do?

I would ask the same question for airpots/hotels etc, what can a guest do without logging in. I'm just trying to prevent any intrusion (if any) if someone wants to do malicious damage. But this would be at cost of a double authentication.