@Gertjan
Thanks for replying.
We have about 100 users/ staffs usually on my location, most use multiple devices, with other staffs that may come and go from another branch (about 500 total if counting all branchs). The portal was intended to use for WIFI and staff only, so we hooked our pfsense with a VPN connection to our AD (which is on another location) and use it as an authentication backend. But now higher-ups want to add voucher option for guests, previously we just made an account to use exclusively for guests instead.
We do have VLANS for each departments, separately from the portal WIFI networks. Before using portal, the WIFI was more of a convenient thing (which it still kinda is), with no authentication required.