Thanks for the quick reply and link for the security document. I understand that the user data from the client is encrypted and sent from the AP to the controller via a GRE tunnel, and that controller decrypts the user data. I may have been a little vague when asking the question or I do not totally understand, which is more likely the case. But, when a user attempts to connect to a SSID that is hidden and not broadcast in a WPA2-PSK environment, the following occurs:
1. User manually inputs the SSID.
2. User manually inputs the pre-shared key.
After step 2 above and the user selects "connect", is that information sent to the controller to verify that the user entered pre-shared key is correct as per what is configured in the SSID profile? If the pre-shared key is correct, the client connects to the SSID. If not, then the client is not able to connect.