Thanks - appreciate the detailed response.
How about this:
1. wireless - make one SSID and segregate out lots of individual access with roles tied to an AD security group. So we can connect up lots of departments on one SSID, but individually they have their own role / ACL
2. On wired; give these laptop the VIA client, they tunnel through the LAN with this encryption back to a controller with same role derivation. Essentially VPN with their own encryption to the controller.
Would these work? Can I use the same controllers (2x7240’s) for both wireless and vpn concentrator?
Thanks