use 802.1x instead of PSK (Score 2, Informative)

everything looks fine except for the WPA-PSK part. Use WPA with 802.1x authentication instead of pre-shared keys. Its more secure and makes overall management easier (want to lock a user out, just disable his account on the server; users can use the same password as they use on their VPNs or on your regular network, a new master-key is generated per session, you can allow users to login only at specific times or from specific access points). The only problem is that authentication takes a wee bit longer than PSK each time, but unless you have users using voice-over-IP and walking around from access-point to access-point you wont notice any difference with 802.1x