I use FreeRADIUS for my database, and it has a brute force login deterrent.. It allows the radius administrator to set a reject-delay value in the security section of the radiusd.conf file. The default value is 1. This means that only one request per user will be allowed per second, no matter how many are submitted during that second, all subsequent login requests during that second will be ignored.
The best way to discourage that is to require your users to use a password that is not guessable or simple. If a hacker is logging in with another user's password without the user's permission or knowledge, then the password was not complex enough or was broadcast in clear text over your wireless network. Do not use the pap login method unless you are using SSL on your hotspot login page.
I do not use SSL, but I do use chap, which encrypts the password only.