I explored using the Captivate plugin for TMG to enable it as a Wifi guest network with authentication against multiple AD LDAP stores.
In final testing I ran into a snag. This worked beautifully on ever single test device I could find to throw at it, until I tried a Mac. What would happen is that Safari would open and redirect to the Captivate login page, but the page would never open. There was also no time out with an error message, or anything similar to work with.
I eventually (and it took a while) tracked down the source of the problem. By default the CRL and OCSP checking is set to "best effort". The preference is also for OCSP. When the captivate login page is requested the certificate validation process is started, but since there is no internet access yet, the process just sits there and hangs.
To resolve the issue I had to add an additional access rule to my TMG array with access from the Wifi network to a specified Certificate validation URL set. This rule has to be ahead of the Captivate authentication rule.
The URLs that need to be accessed are the ones specified in the following fields of the certificate:
CRL Distribution Points
Authority Information Access (AIA)
Once this is done, the certificate validation process can be completed and the page would load. This completed process is preferable to the certificate not being validated at all, but it would be nice if there was an error message, or a time-out like with all the other browsers that were tested.
Interesting side effect to fixing this is since this has been added all the other browsers load up the log in page faster because the validation succeeds and does not have to time out first.