This seems to have happened after upgrading to v7: I've a test guest SSID that my test client PC cannot connect to as it seems to immediately try to associate with the corporate secure SSID. The foreign controller debug showed a line that said something to the effect of "deleting client as SSID has changed" (I was not able to capture this unfortunately and I have not spotted it again), and it then goes on to produce debug outputs as it tries to connect to the corporte SSID. The anchor controller for the guest SSID does not seem to have the traffic passed to it.
Would you mind capturing the following from both the foreign, and anchor WLCs:
Is the anchor WLC acting as the DHCP server? If so, you may be hitting the following:
CSCth68708 Clients are unableto get a DHCP offer from WLC internal DHCP scope
The debug client output will allow you to see if the client is obtaining an IP address as expected, and whether or not the Guest traffic is being tunneled properly to the anchor. If you're finding that the test client continually connects to your corporate WLAN, I would recommend removing all profiles but the Guest WLAN to ensure you're not fighting a supplicant issue.
I've attached the debug output from the Foreign WLC, I cannot get any output from the Anchor as the traffic isn't getting passed on. Other SSIDs from the same Foreign using the same Anchor work ok, so I'm starting to suspect that something has gone awry with the config of the SSID on the Foreign WLC, but I cannot see anything wrong; would you recommend deleting it and starting again?
Thanks for attaching the debug. So, it looks like this client is connecting to your corporate network (since we see a lot of EAP exchanges). Can I have you test with another client that is not configured for the corporate WLAN? Please be sure to run the debugs on both the anchor and foreign WLCs simutaniously. It is also important to note that the configuration for the anchored WLAN must be identical on both. If there is a slight difference, anchoring will fail.
Another client worked with no issues. Turns out it was the first client that was at fault, it needed a patch to allow it to connect using WPA2. Apparently it's only required if SP3 (XP) has not been installed:
Thanks for your help