I'll try and provide as much information as possible here:
Gear:
Juniper SRX220 Firewall
Juniper EX4200 Switch
Aruba 620 Controller
2 x AP105
1 x RAP2WG
My 620 controller has a single connection, a trunk, from Ethernet8 to the Juniper switch. That trunk allows vlans 991 and 993. The 620 has both of those VLANs defined and has an IP address on VLAN993, the default route for the controller is to another host on that VLAN993.
Onsite with the controller are two AP105s, which correctly locate and attach to the 620 controller, and the two VirtualAP profiles I've defined, one with PSK, the other with WPA2 and 802.1x auth are working properly.
Now... onto what's not working:
The RAP2WG access point connects. I've setup VPN services, whitelisted the RAP, setup a static 1 to 1 NAT for my controller's IP on VLAN993 to a public IP. I defined a new AP group for the RAP2WG, and then under virtual AP's I have added the same two virtual AP profiles I was using for the AP group for my AP105's. I definitely have no problem using tunnel mode here.
It does not appear that those SSID's are broadcasting on the RAP, and my attempts to set the wired port profiles mostly end in my own confusion. I'd like to transport that VLAN991 mentioned earlier to the E1 interface of the RAP.
Sorry if this seems all over the place.