I have used a similar design for a Campus office. Basically, the AP can use DHCP to get an IP address from the network, and the DHCP server response includes Option 43 that tells the AP the IP address of the WLC. After that,m the AP will communicate with the WLC via CAPWAP Tunnel, get its full config, and then start broadcasting the SSIDs. The way to get to the internet depends on how the WLC is configured. If traffic is centralized and terminated at the WLC, then WIFI users will land on a VLAN locally configured on the WLC and route via the Firewall to the internet. Ideally, you want this to be a separate Firewall interface (call it WIFI-DMZ) so that you can apply firewall policy via ACLs. On the other hand, if using Flexconnect or HREAP, then WIFI users will land on a VLAN configured on the access LAN switch, and from there route to the internet.