If you want to do something extra fancy with your wifi network without spending too much money, then a $60 TP-Link EAP225 is just for you. However, at this price point, don't expect the fancy features to be too fancy.
This access point allows you to create a guest network easily, that one has its own pseudo-VLAN. This means while any devices associated with this guest network have the same subnet as the main network, these guest devices cannot ping or share files with those on the main network. This EAP225 does offer true VLAN, but it must be under the router or switch that supports VLANs.
There is a portal feature for the EAP225. You can associated a portal with a particular SSID, presumably the guest SSID. The portal page can redirect the clients to another location to be managed. You can put a password on the captive portal page. Once entered, the client would be connected to any SSID. You can make the guest SSID with no encryption, and point the portal to it. You can also make the portal not asking for a password. Just because you can connect to an SSID with a password, it does not automatically mean the data between your computer and the access point is encrypted. This is the difference between authentication and confidentiality. Authentication is what you are allowed to do whereas confidentiality means you can hide what you are doing. Without encryption, there is no confidentiality. Basically, the captive portal is a way to show a splash page with some disclaimer information you want those using the guest network to know. The EAP225 needs to reach out to an external RADIUS server for user and password authentication.
The EAP225 is an inexpensive way to get your feet wet with more advanced features of Wifi connectivity, but it needs a separate more powerful and feature-rich RADIUS server or router/swicth that supports VLAN to make it more appropriate for any Wifi corporate network.
