not

We cannot protect against users associating with a rogue Access Point as long as we do not have cryptographically secured beacons.
We cannot protect the link layer.
Protect against DoS as much as we can (limit use of TCP 3way handshake, try to use Ipsec)
EAP/802.11 alone cannot fix this. IPsec with authentication can. It could even use EAP/802.11, but why? There are other ways.

We cannot protect against users associating with a rogue Access Point as long as we do not have cryptographically secured beacons.