We recently added a guest WLAN to our 4402 controller and have successfully created and used "guest accounts". The issue we are having is our corporate users can connect to the guest WLAN and use their credentials to authenticate to the guest WLAN. Is there a way to limit Web Authentication to not utilize our ACS in addition to the local user name/password accounts created on the WLC?
What you need to do is create 3 bogus radius servers and then on the guest wlan ssid, point the 3 bogus radius servers on that. This will prevent the internal users from authenticating to the correct radius server. If you need to know.... the WLC will look up the local account first and if there is no valid username and password, then the wlc will automatically look at the radius servers setup on the wlan. If no radius server are defined, then the wlc will look at the other radius servers configured on the wlc.
Hope this helps.