Hi,
Ok, you got it working with PAP but which EAP method did you use? PEAPv0, PEAPv1 or EAP-TTLS?
Are you using a EAP mechanism from which WPA2 session key can be derived from?
Is you backend user database required to store passwords in plain text format or you were able to get it working with NTHash or SSHA?
To answer your question regarding the 2 authentication layer: I'm not aware of the existence of a Wireless LAN client that supports 2 authentication challenges. The only 2 authentication layers I tried was based Microsoft Windows Clients to perform PEAPv0/MsCHAPv2 using both user AND machine authentications on Cisco WLAN and it failed. The EAPoL layer can carry only one authentication challenge at a time over the Wireless LAN. Aruba, does have a solution to address this combined user AND machine authentication. However, this is Microsoft specific and based on AD integration.
In regards to PGI compliancy, I found the following architecture very simple and effective with regards to PCI-DSS compliancy:
1- Use VDI (Virtual Desktop) with public visibility - PCI audits will be done in data center only environment
2- Use IOA (Internet Only Access) in all branch offices - NO WAN
3- Consider branch offices like home offices and provide WPA2-PSK with keys changing every 3 months for Wireless LAN Access in branch offices (You can simplify the rolling out of new key using QR Codes)
4- Flexible solution that works for any kind of device (iPhone, Android, Windows, iPAD, iPhone, Mac OSX, Linux, ...) Compatible with all Wireless LAN Clients and low roaming latency.
5- VoIP Architecture is kept outside of the VDI with native SIP Client (I'm currently working on SIPS/SRTP public gateway)