I have configured an EAP-TLS wlan. I have configured the radius server to assign a vlan to the user depending of the user group.
In this way I avoid that an user with a valid certificate that discover another SSID can change the VLAN changing his SSID (so I control what vlan connects every user)
But when I have configured WDS in the wlan it stops to work. Because (I suppose) when the user reauthenticates (not the firt time) the WDS don't ask the radius server (it uses his cache) so it doesn't use the radius configuration and applies the vlan deppending of the user SSID.
I think that the WDS configuration is not working as intended. Thats the reason the WDS is not caching the credentials and authenticating the user. Under Wireless Services > WDS status tab do you see the the infrastructure devices as Registered. if not check the authentication server for authentication stats. The first thing is that the WDS AP should register the infrasrtructure devices. Only then things will work.