The security policy mandates that only controller web management traffic is allowed from the IT...

The issue is likely caused by the CPU ACL on the controller, which is blocking HTTP/HTTPS traffic from the guest clients. When a WLAN with Web Authentication is used, the wireless client’s browser is redirected to a web page for authentication. If the CPU ACL is configured to only allow controller web management traffic from the IT subnet, it may inadvertently block the necessary HTTP/HTTPS traffic for the Web Authentication process, leading to a timeout on the wireless client browser. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide, specifically the sections discussing CPU ACLs and their impact on network traffic.