When a subscriber makes a web request eg. https://apple.com, their browser expects to receive the certificate for apple.com as response. The client then examines the certificate and validates the server identity (am I talking to the real apple.com?) in order to start a secure connection.
When you enable 'enable https redirections on the LAN side', HSMX answers to the request with the configured certificate. The browser notices the response certificate host name doesn't match the requested host name ( login.fdxtended.com != apple.com) and notifies the subscriber.
If you don't enable 'enable https redirections ..' the subscriber will receive a 'this device is offline, server unreachable, time-out, …' message when he calls for HTTPS websites.
This behavior will never change, it's impossible to properly intercept HTTPS traffic. If we could, so would anyone else and HTTPS would be rendered useless. Going forward we notice more and more captive network assistants aid devices into avoiding the problem.
The setting that triggers this behavior which should be disabled to avoid:
Support HTTPS redirections on the LAN sideis enabled in
Security > SSL Settings > Guest networks.