Really you have two issues at hand: first is securing so you can't get to corporate resources, second is keeping the devices off the network.
The first one is simple, use ACLs like you have mentioned on the upstream switch ports, while the WLC can do ACLs I like to do these on the switches upstream and not burden the WLC with those tasks, one more item to forget to do if a WLC fails as well.
Second issue is that you are using PSK, if someone gets your PSK then they can easily put their device on the network. This doesn't have to be an outsider, this could be an employee as well. If someone where to get on your VoIP network they could flood it with traffic causing issues for people trying to make calls. I would look at a more secure method of getting your devices on line, why? Because then you could use the abilities of ISE to see who is coming in, from what device, and what network. This would allow you to tell if someone is trying to connect a laptop to your VoIP network and then force them out a different VLAN at least, or block the connection completely.
HREAP complicates this somewhat, but we are starting to see enhancements to HREAP (now FlexConnect) that will allow this.
I will say I agree with you on both points BUT....
#1 While we agree that I need to put some form of ACL on the switch at the edge I am still struggling to understand what ports/ protocols I need to allow so the existing and future voip devices can do what they need then filter out the rest.
#2 PSK is not the most secure method for sure but given our desire for a simple, not a lot of touching process it was the most efficient ( i chose wpa2 AES to give us the best security available with a PSK) process I could see.
So given that we are a very small IT staff I have to balance the amount of time we potentially spend vs available resources.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...