I've yet to try clearpass and I think my boss has been sold on their... (Forget what it's call, segmented network?) stuff so we might get it, but I didn't mention it because OP seems to want to stay off the cloud. I also don't think we need (Segmented network?) and the only thing I wanted clear pass for was to keep certain users off the network on one type of device but allow them on for another. This is just me rambling about my situation.I've used both Cisco controller based, and Aruba IAP in different companies. My current company uses Aruba IAP and it works great. Most of the heavy lifting for auth is via ClearPass, so I don't need too many smarts in the AP's.