|Informative Information for the Uninformed
Clearly modifying client side drivers for better standards compliance is one area work could be done. More interesting questions are how does one handle key management on the AP in this situation? Clearly any PSK solutions don't really apply in this scenario. How much deviation from the spec needs to happen for WPA 802.1x authentication to successfully be deployed? One interesting area of research is the concept of a stealthy rogue AP.
By using association redirection clients could be the victim of stealthy (from the perspective of the network admin) association hijacking from a rogue AP. An adversary could just set up shop with a modified host-ap driver on a Linux box that didn't transmit beacons. Rather it would wait for a client to attempt an association request with the legitimate access point and try to win a race condition to see who could send an association reply first. Alternately the adversary could simply de-authenticate the user and then be poised to win the race.
Another interesting question is the whether or not a PAP could withstand a DOS attack attempting to create an overwhelming amount of VBSSIDs. It is the authors opinion that a suitable algorithm could be found to make the resources required for the attack too costly for most. By dynamically expiring PVLANs and VBSSIDs as a function of time and traffic the PAP could burden the attacker with keeping track of all his VBSSIDs as well, instead of just creating as many as he can and forgetting about them.