We curently have a corporate WiSM estate that anchors a guest wireless network to a 4402 controller sat within a DMZ. This then uses a custom web bundle for local user authentication, the users which are added by any receptionists at either of two sites.
What is being proposed now, which I could be right in thinking is impossible due to the porposal interfering with our current guest setup, is that an additional internal custom page be added for a different SSID (am I right in thinking that the controller can only use one internal web authentication page?) and have users authenticating using a RADIUS authentication instead of local users. This, without interfering with the existing local user authentication policy on the original guest wireless.
Then there is the suggestion of having users get IP addresses on different subnets on a per site basis for audit purposes. I understand AP Group VLANs can do this (we currently have this on our 3 centralised WiSMs), but as no access points associate to the anchor controller itself, any AP group VLANs would sit there redundantly, right? It was suggested to have differernt VLANs per site, but our current guest setup is a blanket subnet for the entirity of the WLAN and is the way I had envisioned this new SSID to be configured.
AP Group VLANs where they would be negated, different Web Authentication policy for different SSIDs and then the authentication itself being handled by a new RADIUS server instead of the local user policy currently in place for an existing SSID... HELP!!!