Time to adopt EAP-TLS. Single-factor auth is *always* shitty.
Of course, then you will have users with passphraseless TLS certs, and
it turns out the CRL doesn't work in hostapd's built-in RADIUS server.
Also it turns out that your enterprise-ready MFC doesn't support
EAP-TLS, only fucking PSKs. And the x360 in the break room only does
PSK. And the iPhones can do EAP-TLS, but only if they're jailbroken
*or* you deploy a puppetmaster-type provisioning server for iDevices
(which isn't an option anyway because they're BYOD). IIRC the maemo
phones worked, but only if you killed their in-house wifi daemon and
ran wpa-supplicant by hand, which chewed through the battery.
So what I do now, to my disgust, is per-MAC PSKs - which I generate
for the users (so they have full entropy), and which are all stored in
plaintext on each of the APs. But at least I can revoke them by
commenting them out. And the clients can be dumb as bricks.
Attached is a patch that enables either approach for OpenWRT as at
either backfire or aa (the script didn't change between releases).
PS: yes, I know about EAP-TTLS. It's exactly as shitty as not using
client-side certs for HTTPS. Also the wifi alliance only requires
EAP-TLS for device branding, so in theory that's way more portable
(except it isn't, see above).