I've posted this question on two forums (DD-WRT, Linux) with no response. It has to do with manufacturers forcing insecurity of wireless lans. It seems like no matter how much you want, you can't truly secure you're WLAN unless you use a minimal # of devices. Right now, I'm running WPA2/AES which two laptops, a Wii and a linksys camera can use and a wired server. All the kids have DSs which can only connect with WEP and I would like to set up RADIUS which would remove the Wii and camera. What I would like to do is buy a cheap wireless AP and set up WEP for the Wii, camera and DS (can these be hacked?). This AP would would limit traffic to/from its stations and "bridge" with the primary secure AP in such a way that the laptops and wired server would not be affected. Sort of like a petri dish, any bad thing created on the secondary AP could not escape. The secondary would have be to able to negotiate with RADIUS. I don't know if this is possible. Any ideas?

I agree. That least common denom. theory makes the weakest link in the chain your highest possible security posture. Here's a thought from an architectural standpoint. Don't just use another AP. Get a full wireless router, and put them on a different subnet. You can dumb it down to WEP and still use the same radius server for auth. Or, since it is only 3 devices, don't worry about radius and just set them up on the dumbed down router using MAC filtering as well. Many routers now also come with a nice little feature that disallows anyone connected via the wireless network from accessing the control panel. This makes it so that only those with physical access to your network via the wired LAN can make changes to your router's settings.

Hope this helps,
Don