With the following layout, if we tag SM ingress traffic as VLAN99 and connect a laptop or a WiFi Access Point to the SM, we can pull an IP from the AAA gateway, authenticate, and browse.
The Municipal WiFi AP’s can tag VLAN per SSID, so the public traffic is tagged as VLAN99. This traffic is switched through the City’s network to a Cisco switch and finally to our SM. We cannot get this traffic to our AAA Gateway.
We have had the switch tag the traffic as VLAN99 and the SM as a bridge, no joy. We have tried having the switch just pass the traffic untagged and have the SM tag the traffic, no joy. We have tried to have the switch act as a trunk port and access port, no joy.
What are we missing here? This seems so simple, yet we are burning hours on this.
This may be to simple of an answer, but here is my config on a switchport on a Cisco 2924-XL-EN.
interface FastEthernet0/4
description connection to Royse City CMM 2
load-interval 30
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
spanning-tree bpdufilter disable
Are VLANs enabled on the Canopy AP? If so and you just want to pass already tagged traffic you might set the Untagged Ingress VID to 1 on the SM. I have done that to allow traffic that has already been tagged by another device, to let the traffic pass through the Canopy AP “untouched”. Let me know if this helps. I run 1650 customers in about 60 different VLANs through multiple Cisco switches. One of the biggest mistakes I have made is not putting a VLAN in the Cisco switches VLAN database. 
spanning-tree bpdufilter disable
That may be it right there. The router guy indicated that BPDU traffic was being sent, but not coming back.
Thanks
[/quote]