What i have is maybe not what you are looking for but it would be an awesome video for Tom or Jay to make.
My WPA2-Enterprise or WPA2-EAP PEAP network:
I have a pfSense router. I have Freeradius in a Proxmox ct with a MariaDB backend for Radius users and user groups. Every user group is assigned a vlan id. If i put user Bob in Guest 1 group with a surten vlan id he will be put in that vlan wen he logs in on my wifi network.
I have 4 separate wlan networks (vlan’s):
WLAN1 - Open / captive portal
WLAN2 - private
WLAN3 - Guests 1
WLAN4 - Guests 2
Any of the WLAN networks have different security rules, limitations and so on tailored for purpose of the users of that WLAN subnet in pfSense.
I use one wifi ssid for these dynamic assigned vlans to users so depending on who is logging in i can assign a vlan to the user by putting this user in one of the user groups i made in de database. The other ssid i use is for the open / captive portal network WLAN1.
The connections with the Freeradius server is over a TLS connection. For this i use a CA and server certificate created in pfSense cert manager.