1. What are the security requirements and access methodologies – you have routing defined, but no access control information. How are the machines defined? By MAC (not very secure), USERID, Certificate, TwoFactor authentication (RSA or Token) etc? What RADIUS server product are you using and where is it located?
2. What/Where is the router in all of this? Are the WAPs setup “outside” the corporate LAN, or on the same network? The same network is not advised as wireless is inherently less secure than the wired network as the physical layer is radio. Standard security practice is to configure your WAPs on their own separate network and use firewall rules/VPN to allow access to specific required resources.
I would setup a Wireless Network either VLAN or separate hardware and use certificates to authenticate the users to their correct wireless VLAN, then create VIPs for each corporate resource and allow traffic based on source IP address. That should be a nice balance between security and ease of use.