I'm thinking of a mechanism where the router obtains a trusted cert automatically, like Plex does (https://blog.filippo.io/how-plex-is-doing-https-for-all-its-...), and then asks users to authenticate by password over TLS before allowing access to network resources.
that only works because there's a central registar of plex users. im not sure how this can be done ad-hoc for APs. anyone can choose any ssid, so you'll need a global registar of ssids. The system will inevitably need to charge for registrations, otherwise bad actors would squat short and memorable ssids. a preshared key is much more feasible.