The delay was around 7 seconds and sometimes a tad more. (the radius server isn't really nearby and the network is quite large so LAN traffic also plays a role in the delay - I might try connecting the Radius server on the same switch as the APs, just to see if there's better performance).
Unfortunately, if the laptops were to use Terminal Service, their connection would break (at approx. 10 sec. delay). I suppose local tcp/ip applications would be more tolerant.
Since I can't wait for the upcoming standards to be applied (and who knows whether it will imply buying new hardware) but on the other hand I do require tight security measures, so here's another method I thought of using and would like to know your thoughts.
I would disable using the freeRadius EAP-TLS system and would configure every AP to be open (or just have WEP). This way roaming is really fast. However, I would connect the devices as so:
LAPTOP1 LAPTOP2 LAPTOP3 (etc)
AP1 AP2 AP3 AP4 (etc) [192.168.1.0/24] |_____________|__________|____________| | SWITCH | Linux VPN Gateway/Router | The Big LAN [10.215.144.0/22]
The Linux VPN Gateway/Router would have OpenVPN or IPsec or similar and would route traffic between the smaller 192.168.1.0/24 subnet and the larger 10.215.144.0/22. Would this method be "close enough to what Radius-EAP-TLS" does to secure "The Big LAN"?
Am I overlooking something?