We found out what the issues was.
- If you have the "Prohibit IP Spoofing" option disabled (unchecked) in the Stateful Firewall Global settings tab.
- Client A connects to a secured SSID that requires either RADIUS authentication or a PSK authentication.
- Get Client A IP address and assign it to Client B.
- Disconnect Client A and connect Client B on an unsecured SSID with Client A's IP address, such as a Captive Portal SSID.
- Client B will be allowed to pass through traffic as if it were Client A which means Client B would potentially have full access to your internal network.
In our case the issue came up because we have very short DHCP lease times. DHCP IP's were being reassigned within a couple of hours. Legitimate clients appeared to not be able to connect. In fact what was happening was that many guest clients were attempting to connect in to our guest Captive Portal SSID and not authenticating. The IP's of clients that were in the pre-auth captive portal user role were being reassigned to valid internal users that were attempting to connect on a secured SSID. The clients on the secured SSID were being prohibited from communicating on the wireless network because they would have the same privilages as a Captive Portal pre-authentication user role.
Initially we thought this could be a security hole (the size of Nevada) but it is not a problem as long as the "Prohibit IP spoofing" option is enabled.
Thanks!