We are using WLC 5508 and currently the authentication process is via Customized WebAuth. As you know that with the WebAuth the authentication process won't work unless you launch Web Browser and you will be redirected to the Authentication Page where you type your username and password. This is a bit fuzzy for most of the users and what I'm thinking is to use different authentication mechanism where the user will automatically be prompted upon connecting to any SSID. I have read that Public/Thrid Party certificate will do this and any client can accept the public certificate.
Anyone can elaborate on this approach?
I don't know what you mean.... The end user has to choose the SSID and then its up to the device if it automatically opens a browser so the user see's the portal page. This is how it would be if you went to a coffee shop with free wifi that had a login or a portal page to accept the agreement before providing access.
You need to understand what the devices need to do and what WLC's or radius servers can perform. In a normal environment, you would only have one guest or portal page. How would this be confusing to users??? It's like going to a coffee shop. If they can't figure that out, them like they say.... User error. Guest is best effor to many organizations and they will not support that for users. If you have devices that need I access the internal, then you need a radius server to lookup either machine (domain machine) or AD username and password. That is how things are typically deployed.
With machines that are not part of the domain, typicall if you still want to secure them usin 802.1x, you would leverage a radius server and users would be told of the SSID to connect to and enter their AD credentials. Of course, if you use AD credentials, users will now join all their other devices to that SSID. This is where ISE comes in and you can profile devices. Even though the WLC with v7.6 can profile, it's not a full fledge profiler. Depending on how well you know radius, you can leverage a portal page also and depending on the AD group a user is a member of, you can out them is a specific Vlan or if you leverage interface groups. You can do many things, but you need to really know radius and client types to figure out what can and work well in your environment. Radius alone to someone who hasn't played with it, can take days to setup without help.
Every client I setup radius for is different and it comes down to how their users are setup in AD, what devices they have and the requirements.