So I've been resisting giving wireless access to my internal network for a long while. But over time the security options on wireless equipment have gotten better and frankly the cable clutter in the conference rooms has started resembling a brier patch. So I went to go look for a wireless router that could not only handle multiple VLANs but would also provide strong security and integrate my user's Active Directory accounts. Enter in the Cisco AP541N which can emulate up to 15 virtual APs, each can be configured with unique authentication options, VLAN tagging, and supports redirection to a URL. And it had good clustering support to boot which was a nice plus along with POE support to simplify deployment and it comes in just under $400.
For my secure network I set the VAP to use RADIUS auth to my win2k8 r2 domain controllers that were set up using NPS. Good setup article here: http://aaronwalrath.wordpress.com/2010/06/22/install-windows-2008-r2-nps-for-radius-authentication-for-cisco-router-logins/
Accessing the VAP is a breeze as the user just has to click connect on their domain joined laptops and their credentials are automatically passed through without any end user configuration. Nice video at: http://www.youtube.com/watch?v=g-0MM_tK-Tk
Now the only thing that I didn't like when I configured it was that the admin password was limited to only 8 alphanumeric characters. Fortunately if that's an issue you can just configure the whole WAP to use 802.1x to authenticate the admin account. I also ran into an issue where the auto-configured settings that the cluster feature set up had an authentication problem but all I had to do to fix that was just re-enter the RADIUS password again and it went away.