Thanks for the reply.  Well I was looking at the set up of a similar wlc and the confusing thing for me is they have a guest interface of 192.168.x.x/24 with a gateway of .1 and the primary dhcp server of .1 but this whole site is on a 10.x.x.x so the management vlan is 10.x.x.x/24.  There is no ip helper on any device to point to a 192 subnet so I was wondering where it might have come from.  Kind of new.  Any ideas on this?

Does it have a VLAN assigned to that interface ?  you should be able to see it by going by clicking on Controller, and Click on interfaces on the left hand side of the page and then click on the interface that is setup for guest.

No it's actually left on 0 and untagged.  I'm thinking maybe there's a dhcp server I don't know about but I can't figure out where the 192.168x.x came from when we use a 10 subnet everywhere else from what I've seen.   

Have you checked if they have DHCP server  on the wlc itself?

-If I helped you somehow, please, rate it as useful.-

Yes I checked for an internal dhcp server but there wasn't one.  This is under the guest configuration.  The management interface is the usual 10 subnet.  I can't ping or traceroute to this address.

Just send the output of "show dhcp summary" and "show dhcp scope"

-If I helped you somehow, please, rate it as useful.-

Those wlc's are off site and I can't telnet into them I can only use the GUI.

Alright. The IP address configured on the guest interface as DHCP server must be reachable by the wlc. From the wlc web interface you must be able to ping it.

-If I helped you somehow, please, rate it as useful.-

Def sure it's pingable.......I guess I'm trying to figure  out the relevance of using the 192 sub for guest but maybe it could have something to do with the fw is my guess.

I believe it is to differentiate from the Corp network. Usually it is a good idea to have logical and physical separation between both network. When physical is not possible, at least logical.

-If I helped you somehow, please, rate it as useful.-

Yes Flavio I can see that.  I now think these group of ips is coming from the AD thus also setting up  radius.  Haven't gotten access to the AD yet but we'll see.

On the WLAN, security tab, under layer 2 and layer 3 you can confirm which kind of security method it is using. For AD, usually 802.1x is selected. But for Guest is more usually used Web auth. 

 If possible you can share the output of "show running-config" of WLC and we can try to help you identify.

-If I helped you somehow, please, rate it as useful.-

I wish I could but I can't get into those wlc's on the cli just the gui.  I do know there's the employee network set up 802.1, employee byod set up 802.1, and the guest net with web-auth.  Now interface wise byod and guest are on the same interface which was why I believed the dhcp was in the AD.  Hopefully I can get in there to check.