That doesn't surprise me. I'll bet they have geek brain power behind it to build an isolated VLAN with it's own direct port to the internet and a modicum of access to internal network resources while being locked down to the rest of their enterprise network. I'd kill to get a look at their router configs to see what kind of magic they work with them.
We do exactly that, with Cisco APs here (internal access is by VPN only, but I'm assuming that's what you meant.) We use 802.1x for domain joined machines and U&P for consultants.