I have guest wireless setup with web auth and tied to RADIUS using an anchor controller. When I enter my AD credentials on the web auth page the anchor controller contacts the ACS for RADIUS authentication properly.
When I add a second WLAN using WPA2-Enterprise (802.1x) for byoc ("bring your own computer" - like iPhones, employee personal computers, etc) and tie them to the anchor controller, the RADIUS authentication incorrectly sources from the internal foreign controller and not the anchor controller. This makes it hit the incorrect rules in ACS since I have it setup that if the request comes from the foreign controller (for the corporate WPA2-Enterprise) then I check against machine name (domain computers) and if it comes from the anchor controller I test against username (domain users). This makes it so that it only works when you set the client to use machine authentication which won't work for non domain computers (which of course none of the byoc devices are joined to the domain).
I have a TAC case open, but so far we haven't figured out why the RADIUS request sources from the foreign controller and not the anchor controller like it should. I'm running 188.8.131.52. Is this a bug in that version? Is there a setting that can be changed on the foreign controller to force the anchor to do the authentication request?
I've tried deleting both WLANs, rebooting both controllers, recreating only the byoc WLAN on a previously unused index number...same result. The guest web auth one sources from the anchor and the 802.1x one sources from the foreign controller.