We're looking to move our current access points from using a static password potentially to RADIUS. However, the closest to a directory service we have is Google Apps for Business, which does support being a SAML Identity Provider, etc.
There are a number of hosted RADIUS solutions that claim to do this - IronWIFI, Cloudessa, JumpCloud. However, looking closer, I don't how that would work with 2FA being active on the Google Accounts, unless we set up app specific passwords for the wifi (which gets to a chicken and egg problem - how does user get to Google Apps to set up an app specific password on a laptop without wifi? Guest wifi? - plus this seems really clunky in general)
This feels like this has to be a solved problem, but I cannot find a good answer.