Actually, not sure. Redirection still happens at the AP, so perhaps it's still the AP. The controller does act as authenticator in this case, so it does need some virtual interface to handle those web requests and direct them to the available control...
The AP has a web server in 'self' mode that serves an unencrypted page to accept authentication requests at 1.1.1.1 over port 880. SSL requests would happen over port 444. I can't speak to the details of the web server on the AP that handles redirec...
