My situation : branch with WAN link and separate internet link, want to configure an AP330 so that management and corporate users traverse the WAN link (eth0), and guest users traverse the internet only link (eth1). The branch has an unmanaged switch connected to eth0, eth1 is connected directly to an internet router on a separate link, not connected to the corporate WAN at all.
Corporate device authentication is via certificates and Radius (MS NPS), corporate user auth for non domain joined devices is via AD credentials (gets the guest user profile), and guest auth is via 1 or 7 day ppsk.
I've attempted this with it in AP mode, and auth works for both user profiles, but dhcp discover on the guest ssid goes unanswered (the internet router is doing dhcp).
I've tried it in router mode, and auth still works in both user profiles, but this time guest gets dhcp ok, but corporate does not (corporate dhcp server in the data center). Management works fine in both situations. If I enable dhcp on the network assigned to the vlan assigned to the corp user profile, then corp users get an ip from this pool, and can access network resources, but nothing on the network can talk to them (as the rest of the network doesn't know how to route to that ip range).
I'm sure I'm missing something simple, but am really interested in how this SHOULD be set up, and happy to start from scratch to achieve it if required.