Another option would be to setup the AP's in remote mode and have the traffic source nat'ed threw that building's modem but we'd have to ask our ISP to allow traffic to flow threw their firewall and then poke holes in our firewall to reach to our 3600 controller.
I should mention, our goal here is to be able to log who's conneted to our wifi network (s) - there's been people connecting to the existing wifi network in that building and sending out some threatening emails to certain staff. We want to be able to figure out what machine was connected at the time that message reached our mail server and take action - I'm thinking the easiest way would be with a second controller with a public IP's on its' WAN interface then at least when we go through our email logs can say: "the threatening email came from the controller's IP therefore it was sent from someone connected to one of those AP's"
If we go with a second controller, would I be able to login to our master controller and manage or at least have a dashboard view of what's happening on that second one?
I have a meeting with my boss tomorrow and would like to present to her some ideas - Her big concern is security and logging.
Thanks