I'm thinking of using for example a certificate based authentication, so anyone that needs to connect to such SSID must have the certificate installed on his phone. Or maybe a RADIUS server as you said in order for them to authenticate using a username and password. But I have a question regarding the certificate solution, what's the best practice for such?

Thanks! 

First of all are those devices under your administration ?  Certificate is always the best option if you manage the end user devices. Then you can use some platform in order to install certificates like MDM.

  But, If you do not manage the device (BYOD) then is a different situation. On this case your challenge is bigger and you should think about a guest network with portal. 

end user devices are employees devices, I don't know how much this could be applicable and effective. Can you please explain more technically regarding both scenarios? Thanks!

If they are employees them it can be easier. You need to have the Radius server, would be great if you have Cisco ISE but it is not required and you need to get a tools to manage mobile devices in order to install certificate. There are many out there. 

 After that you need to create the configuration on the Radius, on the WLC, install certificates and that's it. 

 Here in the community there will be plenty of material related to this scenario.  This link is just one example.

https://community.cisco.com/t5/security-knowledge-base/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867