Hi,
The idea is, that the router does the authentication via radius server, which stores predefined "WPA keys". When user uses one of them to access the network, the "WPA key" is activated. After specified period of time, radius server automatically deactivates the WPA key and disconnects user.
err, if the WPA key only becomes active AFTER they've reached the RADIUS server - then HOW are they to connect to the wireless in the first place - as the WPA key is required for the layer 2 link to come alive(!) AAA would be able to give you this 'very low level' type of authentication. what you COULD do with AAA is to use SSL certs....eg EAP-PEAP/EAP-TLS with WPA-enterprise. and then once the cert has been used, expire it. alternatively use WPA as you are currently doing but enforce another control method to get online - such as a SOCKS5 proxy. alan