Actually IEEE 802.11u implements something like EAP-UNAUTH-TLS where the client auths the server but the server does not auths the client.
After that, the best would be to push the whole traffic throug tor (Or even to run a tor exit node, if nobody can say from which side of the network the requezst comes from ...).
I've always thought it would be a good idea to just route all traffic through tor with an insecure ssid (and a separate one for yourself. It would take care of security concerns, or getting blamed for torrenting.
After that, the best would be to push the whole traffic throug tor (Or even to run a tor exit node, if nobody can say from which side of the network the requezst comes from ...).