Well, it depends. The login itself (to windows) is handled by the Windows Domain Server (for account authentication). If they're not currently logged in, it uses cached domain credentials to authenticate login. To connect to the wireless, they choose the wireless network network from the available list, and jump through all the normal hoops (WPA, etc, etc) to connect. After the connection, there is no throughput however. Everything is blocked except VPN traffic.
Basically, it all the same as your users are doing now, but with one extra step. After connecting to the wireless connection, the user has to fire up the Nortel VPN client (that's the one my company uses for Window$ users, or Apani for us Linux folks), and we enter all our VPN stuff (account name, PIN#, Hardware access token code, etc) to establish the VPN connection. Then traffic runs as normal, if just a bit more slowly.
"The Sheep hate the Sheepdogs for barking at the wolves because it reminds them that they are unwilling to defend themselves." - DonGlock26 (8/30/06)
Founder - Illinois Glockers Club #1
Big Dawg, GOTOD, Niner's & Survival #1280