We have our access points set to use "open" method for network association followed with a splash page configured to AD authentication. My question is that "open" also has no encryption. What is is place to prevent any users from capturing AD traffic or is the splash page just proxying the AD login process and kerberos is protecting the AD authentication stream.
The https encryption of the splash page should prevent against sniffing.
See the Note on this page:
Even though HTTPS is the solution, I highly recommend to avoid open networks as there might be other non-encrypted traffic which can be easily captured.
Also, WPA3 will have OWE (Opportunistic Wireless Encryption) for exactly this reason.