George,
For access controlled VSCs, you do NOT have to have the AP tagged for that VLAN. I used to do it that way, but I don't anymore...
You can configure multiple access controlled VSCs on the same controller. I have done that on occasion. However, doing that changes the way I typically deploy the MSM controllers. If I need to deploy, for example, (2) different access controlled VSCs, and have each on a different VLAN, then I will NOT assign an IP address to the Internet Port of the controller (which is the default way controllers are setup). Instead, I will do the following (for example):
- From the Network|Network Profiles page, I will create my two profiles, GuestA (on VLAN 30) and GuestB (on VLAN40)
- From the Network|VLANs page, I will set GuestA as Mapped to the Internet Port (tagged).
- From the Network|VLANs page, I will set GuestB as Mapped to the Internet Port (tagged).
-From the Network|IP Interfaces page, I will remove ALL IP addressing from the Internet port itself.
-From the Network|IP Interfaces page, I will add a New Interface for GuestA and assign it an IP address on that VLAN as applicable.
-From the Network|IP Interfaces page, I will add a New Interface for GuestB and assign it an IP address on that VLAN as applicable.
-On the Switch, I change the actual port where the Internet Port is plugged into from Untagged to Tagged on both VLAN30 and VLAN40.
-From Network Tree|Controller|VSC, I will select the GuestA VSC, and then navigate to VSC egress mapping and select the applicable Mapping for all three traffic types.
-From Network Tree|Controller|VSC, I will select the GuestB VSC, and then navigate to VSC egress mapping and select the applicable Mapping for all three traffic types.
I have never yet done dynamic VLAN assignment based on specific users or RADIUS but I believe it can be done.