There isn't any issue doing that, but if you are going to do this for guest access then you should probably keep it open and use webauth to allow guest access. You don't want to be responsible to setup non-employee devices and you don't want to take on the responsibility of something going wrong with their equipment. Now if you want to use it for internal use, then I guess it is okay, but it defeats the purpose of single sign on.
Thanks, our security team are not keen on people just being able to associate with the LWAPs and getting an IP address from the WLC DHCP pool. I know there is not much that the wireless client can do until it web authenticates but it is deemed as a security risk.
So I am going to propose dual authentication WPA-PSK (we will change the key on a monthly basis) and when they associate use the web authentication using the username and password created by the lobby ambassador feature.
On a side note:- If you only use web policy but the client does not associate - does the client get dis-associated after 5mins and does the DHCP entry on the WLC get removed from the DHCP data base.
I have setup wireless in two other compainies related to Rail... The biggest issue will be who will support the guest users and will they take the responsibility. Their security team didn't want that and were fine with tunneling the users to either a dmz or seperate Internet connection. Will dhco release the address... Not right away. You can play around with the lease tim and see if your laptop keeps getting the same address or one higher. If the isue is with dhco being used up from association, then don't broadcast the ssid and have the receptionist hand out the ssid with username and password. My clients use a default username and passowrd but changes that every week. They seem to prefer that over changing it every day or have a username passeor for every guest user. They use wcs to print out the guest credentials. Again, the network team has the recepionist doing this, so they made sure that they are not making too much extra work for them or else they would have to be responsible for guest users.