Well, this is not a real network but we need to guide on the real one. The AP should be on the IT vlan to stablish the tunel with the WLC. Then, using the tunel capwap, the traffic from the three SSID will be sent to the WLC and the WLC is responsible to request IP address and return to clients.

 The WLC and the switch need to be in trunk mode in order the WLC to ask IP from the 3 vlans.

That´s how a real network would work. So, the client connect to its specific SSID, the AP send the traffic to the WLC via tunel, the WLC handle DHCP to client.

@Flavio Miranda Okay I think I am understanding, so how would I set up the tunnel capwap? I do have the WLC and the multilayer switches on trunk, with a native vlan 30 along with vlan allowed 10,20,30. Or is that not the right approach for this scenario?

Alright, actually I was taking a closer look on the project and it seems it not exactly like I said.

the file I am attaching is worlking as you want. I mean, Guest is taking IP on the vlan 20.

 The explanation I gave above it true but will not apply for this exercise. As per my findings, the SSID(WLAN) needs to be in Flexconnect mode, as the AP is in flexconnect mode. So, you can forget about capwap tunel here.

The AP will get IP address to the client and not the WLC as I said.

In order to do that, the AP needs to be in trunk with the Switch and you need to add the vlan30 as Native vlan for AP management.

And on the WLC you need to create a new AP group instead using the Default AP group. On this new AP group you add only the two SSID you are dealing with (Guests and Staff)

So, step by step.

Change the WLAN to flexconnect (Advanced tab)

Create a new AP group with both SSID (WLAN tab)

Put the interface for AP in trunk with Native vlan 30

Just look on the file I attached.

@Flavio Miranda Ok, that makes sense for that, thank you. Last question with the Staff SSID and vlan. How would i set up 802.1x authorization for the Staff SSID so that the second phone can connect and obtain an IP from the Staff VLan?

For Staff which represent an Enterprise SSID, the configuration should be different. On this case, the WLAN is not flexconnect (Uncheck the flexconnect option on advanced tab). 

On the security tab for WLAN you select the radius server. You need to add the server first on the SECURITY tab. 

But, honestly I dont think this is going to work. Because when you go to the device wireless config (smartphone) when you select 802.1x it ask for a WEP key. If you dont fill the WEP key, it does not accept the config. 

The problem is that for this configuration, you should use  802.1X + Static WEP on the WLC and this option is not available. You can see this option there but when you select it says not possible. 

I tested your project with WPA2 PSK and it works fine on Staff network, but external radius seems to me is not ready yet.