with OOB, you can't do bandwidth throttling or apply ACLs, since once the user is authenticated properly they are out of band. (you can apply those things only to user roles such as quarantine, temporary, etc). on the other hand, the CAS is not a bottleneck with OOB either. with OOB, you'll need to roughly duplicate your LAN and dhcp scopes for the unauthorized vlans/subnets.
(1) OOB will only work with Cisco switches and even then you need to check since it may not work with some older Cisco switches. With InBand (IB) the switch type is irrelevant.
(2) OOB mode can now be supported with Cisco wireless (centralised using WLC) but only if CAS has L2 connectivity to the WLC; NAC v4.5 and WLC v5.1 onwards. Originally NAC for wireless was only supported using IB mode.
This link discusses the different options that may be best suited to your environment:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...