Packet captures appear to show that Advanced Threat Protection (ATP) Platform fails to relay all RADIUS requests received on LAN interface to WAN interface. Adding the IP address of the RADIUS server as a IP based whitelist entry in ATP UI does not appear to permit the RADIUS authentication to occur in the guest wifi network.
When one or more packets received by the LAN interface of ATP exceed MTU of 1500 and have a VLAN tag, ATP de-fragments to build and inspect a packet. To re-transmit to the WAN interface, ATP re-fragments, but fails to re-add VLAN header.
Symantec is committed to repairing this in a future build.
To work around this issue, please do one of the following: