I run wireless IB virtual gateway and  it works pretty well. IMHO this
is one of the few bright spots with this product. 

I set up a separate DHCP server because I route multiple vlans through
the CAS (and I guess in this mode,  it is the only choice given on the
DHCP setup screen, at least it is on mine). This allows me to provide
complete information to each DHCP client, also. Plus for those headed to
my corporate lan I can route their DHCP to my corporate Active Directory
DHCP servers which saves a lot of work. 

I use different wireless networks (SSID, etc)  for different roles and
each wireless network is assigned it's own vlan by the WAP. 
I use RADIUS authentication and MSCHAP v2 for attaching to the VLAN for
my corporate vlan and a simple WPA pre shared key to provide internet
only access to visitors. We are in a rural area and if somebody wants to
park in the cow pasture or in front of the FFA pig farm to steal some
bandwidth, I guess that's not the worst thing in the world. They won't
get on my corporate LAN without going through NAC and authentication.
Setting up RADIUS was a bit tricky as I needed to route RADIUS traffic
to my RADIUS server and set up rules in the firewall to allow it from
the auth LAN to the RADIUS server. 

My corporate users are set up with SSO which was a PAIN to set up in
Clean Access, but if you don't have too many DCs and you follow the
Cisco instructions EXACTLY, NOT SKIPPING OR CHANGING ANYTHING, they work
great. Kudos to whoever wrote the instructions for setting up SSO. BTW,
I may still  have my copy of the instructions if you need them.

Make sure you enter each vlan from your WAP tin the managed subnet
screen. Also enable VLAN mapping and add the mapping for your topology.

I also had to add (and this was weird) a specific  route to my corporate
(access vlan) via the UNTRUSTED link on the static route screen. I also
added /32 routes to my AD servers via the TRUSTED link. That ensured
that authentication traffic reached the AD servers, but no other
untrusted user traffic would. I learned that after working with TAC. For
my AD servers I have a gateway entry (the address of the firewall) but
for my untrusted route I have none. 

Finally I entered the proxy server ports in the Proxy screen, but not
the IP of the proxy server (which is also my firewall and default
gateway out to the world).  I provide the gateway address via DHCP. 

I set this up a long time ago, and some of it looks weird now even to
me. Also this was set up on version 3.8. It still works on version 4.5
but I do not know if it is (or ever was for that matter) a recommended
practice. It works for us. We give visitors our pre shared key, and they
have internet access via wireless quicker and easier than at most
hotels. The only ones I have problems with are people who have
preexisting proxy settings in their browser, and that is easy to fix. 

A caveat, wireless users are unauthenticated before they are logged in
and remediated, so be careful of the traffic filters you set up in your
unauth role. I accidentally bypassed all wireless authentication for a
few days while working on OOB VG set up for wired clients (which is NOT
a bright spot of this product, but that is another story). To quote
Christopher Walken, "Whoops."

In summary, the hard parts (for me) were getting the WAP properly
provisioned for RADIUS authentication, getting the unauth and auth
traffic routed properly (that hung me up FOREVER, the static routes
fixed that). The rest was pretty easy. Good luck,

Dan Sichel
Ponderosa Telephone