Is it ok to put an access point behind a firewall as opposed to before it (on the outside)?
If my users want to connect to the network, they have to authenticate and get authorization which I'm guessing a router would route the Auth & Auth requests to a Radius server on a dmz, but then it seems like they wouldn't have all the normal protection of entering through the firewall as a normal user would.
So where should the wifi normally be on a small LAN, inside, or outside, DMZ of a LAN? Pros/cons?
Largely, it's a question of what you want to protect. A firewall protects your users' pcs from attacks from the outside, if properly configured, notwithstanding attacks from compromised hosts inside. (Personal firewalls are a Good Thing.)
Your local "normal" users should, in fact, be _behind_ the firewall, to provide max protection and control "bots" connectivity with outside.
An AP behind the firewall can be an entry path for intruders, unless you secure it as you mention with WPA and in your case a Radius server.
A major issue is what you wish wirelessly-connected users to be able to access internally. E.g. having clients access windows network shares via NAT router is a no-go in my experience with two different NAT routers, wired and wireless. Unless maybe you have them share the _same_ virtual lan. ("Wireless routers" are typically AP, bridge, and router.)
What I mean by that is to not have the AP serve as a router for them but as a connection to its bridged network ports. The AP would have an IP in the same range as the servers, and issue IPs in that same range via DHCP. The router's WAN port would be unused. Care would be required in configuring AP's range of IPs to issue, obviously among other IP parms.