I've been claiming that I can do this for some time, and the techs have finally called my bluff; so I'm coming to the community to see what I can actually do, and whether I'll be eating crow.
We have a wireless desktop PC set up for guests to access the Internet in order to fill out work-applications etc. It's got a device certificate and we're using EAP-TLS for maching authentication to an SSID (Hire) specific to this use. Currently it's in VLAN100 (192.168.100.x) and has access to the Internet through our edge router.
We use VLAN30 (10.10.30.x) to manage the iAP and VLAN2 (10.10.2.x) to connect wired internal devices, but can't get to VLAN100 from the inside.
My techs want to be able to administer the Hiring Kiosk remotely (over VLAN2 or 30) and they would like the Kiosk to be able to print to VLAN2 printers.
I think I can do the printing to VLAN 2 by allowing the printer's IP in the ACL for Hire role and setting up a NAT.
How do I allow the other direction?
I'm thinking I'm going to have to move the Hire desktop to VLAN2 and NAT back to VLAN100, but the iAP doesn't have an IP address in VLAN100 and I'm confused now.
If you're still reading this, have you got any ideas?