Proper solution is defined below:
1. Connect user to guest wireless
2. Perform lookup on user to determine role
-SSH to controller, under enable mode type - "show user"
3. Login to the Wireless Controller - go to Configuration tab.
4. Select "Access Control" under SECURITY on the left.
5. If the role the user is in is "Guest" for example, then click "edit" to the right of that role.
6. Under "Firewall Policies", click Add - then select "Choose From Configured Policies - Select "vpnlogon".
7. After is shows under the list of polices, click on it to add an additional rule.
8. Click Add - IPv4, Any source, Any Destination, Service - then select "svc-natt", action permit, log uncheck, mirror uncheck, queue low. All other options in the row need to be left alone.
9. Click Add.
10. Click Apply - Be sure to save at the top.
Services that should now be allowed are:
svc-ike
svc-esp
svc-l2tp
svc-pptp
svc-gre
svc-natt