The IAP model is great BUT...there are some things that the controller can do as the firewall is much more robust as it's handling a large amount of data and clients. So...it really depends on your requirements.
Things you will get in the controller that are NOT in IAP:
- AppRF or application visibility
- VLAN centralization - no need to configure trunk ports at the AP level
- ability to terminate VPN tunnels
- deeper spectrum analysis visibilty
- bandwidth contracts per user
However, with IAPs regarding the firewall, you will realize the following main features...
- DHCP fingerprinting and user derivation rules (i.e. - ability to apply a role to device types like iOS and Android)
- Bandwidth contracts per ssid
- role based stateful firewall
- classify media and apply QoS based on traffic type like Lync, voice, video
If you have any questions...please let us know.