It can be done.. just need some tweaking with the configs..
Monitor client probes.. create evil twin for the Open WiFi probe.. Assign IP for client.. Wait till Responder snatches the creds, maybe do a couple of de-auths.. Importantly, avoid any DHCP, DNS, HTTP service conflicts..
For the PoC, I wanted to keep it as a simple targeted attack and so off-loaded the router function to an actual wifi router.. It was stable that way.. less tinkering to do..