The network policy is the same as this picture : https://d2r1vs3d9006ap.cloudfront.net/s3_images/1113752/RackMultipart20141028-27616-11412ci-ScreenShot2014-10-28at1.24.35PM.png
Any iPhone or Android get ip from dhcp (192.168.77.x > vlan 77) but can't access internet.
what should we check ? Thank you for assistance.
That's the IP Firewall Policy, not the Network Policy. You need to also provide a screenshot of the user profile that you are using with the Firewalls setting expanded to help see what is going on.
Also, are you sure your network is properly configured so that subnet can access the Internet? An easy way to check your config to see if it should work is to remove the IP firewall policy from the user profile and see if they can then access the Internet. If they can, you know the network is setup correctly. Then it's back to making sure you applied the firewall policy correctly.
Check that DHCP is completing successfully and is supplying the right information to clients, that is that you're seeing an expected IP address, subnet mask, default gateway and DNS server(s).
Can you ping the IP address of the default gateway?
The management address of the AP should be in a different, isolated VLAN to your guest traffic.
I suggest that you take a step back and look at your VLAN and subnet design and make sure it makes sense before you go further.
The two AP121 have manual ip address from our internal network (each one has own management ip on mgt0 interface) and dhcp server is set on mgt0.1 interface
And show arp shows :
Internet 192.168.99.1 0 Incomplete ARPA (and interface detail has non vlan)
(192.168.99.1 is the ip address of the mgt0.2 interface of new dhcp server)
For example on the working vlan :
Internet 192.168.77.1 21 e01c.41bc.2040 ARPA Vlan77