Newer versions of hostap supports RadSec, also known as RADIUS over TLS (RFC 6614). See https://w1.fi/cgit/hostap/commit/src/radius/radius_client.c?id=95a825bc43b508e8b3757385de91c2452721ef3f for the commit adding support in hostap. Unfortunately, this feature is disabled by default and has to be enabled manually by selecting CONFIG_RADIUS_TLS=y.
If the full hostapd/wpad package in OpenWrt could get RadSec support, that would be awesome.
Use case for me: Somewhat trusted (read: untrusted) network carrying user traffic and management traffic in different VLANs. Sometimes, people plug in other devices intentionally or by accident, and I'd rather not give them the ability to snoop RADIUS traffic. Right now I can solve that by installing radsecproxy on every access point, but that takes quite a lot of flash space. Getting that feature built-in as part of hostapd would be awesome.
I'll try to create a pull request next week unless there are objections (there's a small size increase).