Hello Flavio,

All 3 SSIDs are using WPA2-Personal AES with PSK.  Nothing fancy such as Dot1X or AAA authentication.

Right. Let me ask you a few question and, with that ,maybe I can help you check any blind spot you may left behind.

The SSID is Local switching or Central switching? Same question for DHCP

Is this  new vlan or existing vlan?

You said the WLC is only layer2 right? no SVI, so the ASA is the layer3 ?

If you set a static IP address on one client, does it can ping the gateway?

Flavio,

I responded to your questions via email and thought they'd post here but I guess it didn't.  Here are my responses to your questions. Again, I really appreciate your responses on this:

Central switching and central DHCP for all SSIDs; no flex profile assigned to the site tag as the AP is operating in local mode.

The VLAN is an existing VLAN on my network and has been added to the 9800 WLC.

The WLC is layer 2 only with the ASA being layer 3 so no SVIs on the 9800; only the layer 2 VLAN IDs have been added.

If I assign a static IP or receive an IP via DHCP from the wired (switch) or wireless network (Meraki MR52), I can ping the gateway from any of those VLANs.

Here's another bit of detail I forgot to mention.  Although I can get DHCP for the 2 SSIDs on the 9800, I can't ping the DHCP server directly from the 9800; although there's a default route back towards my firewall (this could be an issue with ICMP not being allowed, however).

"Here's another bit of detail I forgot to mention. Although I can get DHCP for the 2 SSIDs on the 9800, I can't ping the DHCP server directly from the 9800; although there's a default route back towards my firewall (this could be an issue with ICMP not being allowed, however)."

  yeah, it could be the firewall blocking icmp. 

Does the WLC have trunk with firewall, right?  The vlan was added to trunk?

I know those are basic questions but sometimes small details are left behind.  After all, if you have 2 ssids working, we must consider that the overall configuration must be fine.

One last thing I would recomment is look on the logs while trying to connect to the network. The radioactive logs must show something interesting.

Thank you!  I will give this a try and report any findings.

It doesn't make any sense to me but using this analyzer helped tremendously!  So, as I stated in my original post, I can get DHCP for the 2 existing SSIDs no problem but wasn't getting it for the 3rd (and final) SSID.  After running the analyzer, I had 1 error, 13 warnings, and 5 notices.  The error was stated as follows:

However, I knew I didn't have to add SVIs on the 9800 so what I did was check the Policy profile and removed the DHCP Server IP Address value shown here:

Once I removed this option, I tested the 3rd SSID and was able to get an address via DHCP immediately.  I would've never figured this seeing that the other two policy profiles for the other SSIDs also had this configured (but is now removed).  I have confirmed that I can associate to the SSIDs and receive IP info for the appropriate VLANs.  Thanks again for everyone's help on this and I'll be sure to bookmark that analyzer URL!

Terence Lockette

         @TerenceLockette             >....and I'll be sure to bookmark that analyzer URL!
  It's indeed advisable to use WirelessAnalyzer on a regular basis , especially after configuration changes and also after upgrades for instance , 

 M.