Add to the mix of remote RADIUS servers for small-office WPA Enterprise: The folks at BoxedWireless are offering the back-end RADIUS authentication server needed to provide WPA Enterprise. The interesting twist with BoxedWireless is that they offer both EAP-TLS (unique certificate per computer) or PEAP (certificate optional on server) under 802.1X.
The EAP-TLS option is quite fascinating as the company is taking on the burden of running a public-key infrastructure (PKI) for you. It's usually beyond the means of most smaller companies and even large enterprises sometimes don't opt into building a PKI. With a PKI, BoxedWireless can let you use the most secure method of EAP encryption in which the server certificate is first authenticated after which the unique client certificate is delivered to the server for full mutual authentication. You can even issue temporary-duration certificates to particular users for guest or temporary access.
For an office of 10 users, the cost is $24 per month or just over $2 per user. They charge based on a range, such as 1 to 10 users or 51 to 100, so the cost per user varies based on which end of that range you're on. The worst case is still a few dollars per month per user.
BoxedWireless makes it easier to use a variety of platforms with small-office WPA Enterprise because you can use any standard EAP-TLS or PEAP client (with MS-CHAPv2 inner method). But they don't provide the extra in-house failover method offered by Wireless Security Corporation in WSC Guard, the other slightly more expensive outsourced WEP/WPA 802.1X solution. WSC Guard includes software that runs on the local network in case the Internet connection drops, the path to the Internet (i.e., the route between your network and WSC or BoxedWireless) is temporarily lost, or the remote 802.1X authentication server fails.
Update: Peter Judge chimes in on the issue of trust and reliability for services of this kind, especially where public keys, certificates, and encryption are concerned over at Techworld.com. Peter got the additional detail that authenticated users retain their access to the network in the event of an infrastructure failure: this makes sense as new keys are provided only through a rekeying process that requires the client's participation.