And then you need one device which doesn't support WPA2 Enterprise and you have to start improvising. And you'll get such devices quite soon because vendors can't be bothered to implement support for 'enterprisey' stuff if it's no use for most of their consumers.
I know such a company. They've deployed Ethernet/WiFi authentication using IPSec throughout the company, with smart cards for desktop logins, etc. And then they had to make it work with Windows CE-based devices (they've paid me to do this, actually). Turned out that it was easier to create a separate unsecured WiFi network and pipe everything important over HTTPS.