What I want is this:
1) wifi_open - open wifi with no security
2) wifi_secure - WPA2-Enterprise security, account guest/guest
2) is for those who want secure connection. I'm not sure if network 2) is secure because everyone is using same username ja password. I would like know if it is secure or not.
You'll need more than just the AP settings - you'll need to set up account based policies on the 802.1x/802.3 layer for Portbased Network Access Control - if you set up a Radius Server and the appropriate policies, something like this can be done, but that's outside of the AP's scope.
In any event, with WPA2-Enterprise, you don't want to share accounts across different users (e.g. Alice and Bob having the exactly same credentials)...
My first choice for wifi_secure network was WPA2-PSK (passphrase guest) but because WPA2-PSK is not secure it can not be used.
Why can it not be? WPA2-PSK is more than secure enough for 99 percent of the SOHO market - it's not secure enough perhaps for the enterprise...
wifi_open guarantees that everybody can access to network.
Which goes back to that issue I raised earlier about trust in general...
There is devices that don't support WPA2-Enterprise.
There are devices that don't even support WPA2 in general... but if you deploy WPA2-Enterprise, then any device that attempts to connect to that SSID MUST support WPA2-Enterprise, otherwise they will fail...
In any event, you'd have to deploy an AP that supports multiple SSID's - one for Open, one for WPA2-PSK, and one for WPA2-Enterprise.
On top of that, an authentication center (e.g. RADIUS or similar), define policies for the accounts, and a base level of auth for Enterprise at the 802.1x layer - e.g. how to configure the supplicants (PEAP-MSCHAPv2, EAP-TLS, etc..)
This is semisecure way. Alice can decrypt Bob's packets. I don't know what happens after rekeying. If it happens similar to the procedure for the initial connect, I could imagine that it is not impossible to find the new key.
That's why it is always important to protect access information in general - WPA2-Enterprise assumes that there is a trust relationship between you, Alice, and Bob - properly done, Alice can't decrypt Bob's packets in a WPA2-Enterprise config...
Another way of looking at it though - Alice has two machines - laptop and tablet, she can use both, and with WPA2-Enterprise, both machines and the 802.11 frames are secure from each other.
There is now way to prevent clients connecting to rogue access points if rogue access points use wifi_secure SSID and guest passphrase.
Actually there is - with port based network access control, the Rouge AP can't attach to the LAN period... assuming of course you've properly deployed 802.1x with a Layer 3 managed switch - and then you'd still have a fair amount of flexibility with rules and policies..