[mysteria]

If you want do do this 100% locally it's pretty easy with Pfsense/Opnsense combined with the Freeradius plugin. You can create your CA, hook it up to Freeradius, and create accounts and certificates all from the GUI (if you know what you're doing). As a bonus you can use the same certs with say the built-in OpenVPN system, and revocation of certificates is handled seamlessly in the UI as well. Personally I found it much simpler than doing it by hand with OpenSSL commands, which I used in the past when I had a smaller deployment.

The great thing with WPA Enterprise is that you can assign VLANs based on the client's login, just like a 802.1X switch. For instance my phone is sent to one VLAN, my company laptop to another, and my personal laptop to another. I can use a single SSID and get all the benefits of a multi-VLAN setup. For guests I provide a username and password for MSCHAPv2 authentication, while family devices are issued full certs.

What about IOT devices? I generally only use commercial wired gear (IP phones, cams, etc.) anyways with no internet access, and I'm of the belief that if it doesn't support WPA-Enterprise it shouldn't be on the network in the first place :). So that rules out all those data-mining smart speakers and so forth.