The document is great, and really helpful. Much appreciated.
Although I am hijacking this thread slightly, as when reading it I noticed this comment:
"To implement a Guest Captive Portal that provides Guest Registration and Authenticated
Registration (BYOD) access, as a best practice, a minimum of three VLANs are
recommended to isolate the guest traffic."
Had an open case where when using ExtremeControl as the captive portal the recommendation was to always use policy assignment rather then VLAN assignment, more specifically due to hitting this issue with IOS devices (link provided below). Initially the solution worked fine, but an Apple IOS update since seems to have introduced the problem.
The result of the case was there was no workaround, other then to redesign the solution to use policy assignment instead. In specific example this re-design was not an option since the VLANs are tied to firewall rules that allow some internal access, since the captive portal page is used for both guest access and authenticated registration. The customer is currently stuck with the problem.
So just adding this in there, in the hope to be helpful in case anyone else falls into the same trap.