I have a working WLC with Guest wifi SSID. I've noticed this "Guest Lan" check box under the interface which is used as guest. I've not checked this box but when you do, the IP address fields are taken away and you're left with the VLAN ID.
The guest network is a layer2 network and guest users hit the ASA firewall for their default gateway, so all they obtain is internet access.
I've seen this link about wired guests: http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/99470-config-wiredguest-00.html#anc10
But I'm unsure how / why the IP info is removed when you tick the Guest Lan box.
Are anyone using this and know the differences?
Is this the one where they form a CAPWAP tunnel back to the anchor controller in the DMZ? If so, I'm able to speak on it, as it's tied in with my NAC system providing authentication.
We used it without checking the Guest box. However had there been time to test it we might have used it after reading through the doc you posted. We did a setup like that for standalone sites. The reason was to isolate a guest from everything until they had passed through an ACL on the ASA. If they can hit an IP on the WLC they can compromise it.
I've not tested / checked to see if the guest IP tied to the guest interface on the WLC is reachable from the guest wifi network. I'm guessing that it might well be. However, our web auth uses the virtual IP for the guest users. At the moment it is still 1.1.1.1. I have PSK set up as the primary authentication since our office is below apartments. Then, web auth kicks in.
Deanwebb I've only ever set up single-controller networks, so I'm unsure. I've set up a separate guest network subnet which is like a DMZ #2.