We are going to implement a 4402 WLC and light-weight APs on our network. Our network is basic with windows servers and windows XP clients. The wireless network will be used by our users for local resources and our guests for access to a broadband service for which we are setting up a separate SSID and VLAN. I'm comfortable with the WLC and AP deployment. For guest access I've been researching the WLC guest login/authentication page option.
For our local users I'm really confused on all the security and authentication options. I know the options are: WPA, WEP, TACACS, MAC address, PKI, 802.11, Layer 1, Layer 2, Layer 3, EAP, TKIP, RADIUS, but I'm really confused which to use for our local users and how to configure the right option. Our security needs are not that great as we are not passing government secrets but I know WEP is not an option for us. I would greatly appreciate if someone can point me in the direction to understand the security options and which would best suit our needs.
For link security, if all of your clients support it, use WPA (WPA2 if possible) with AES encryption.
If some clients don't support AES, it's possible to offer TKIP as well.
For client authentication, as usual, it boils down to what resources (human and processing) are available, budget, and administrative pain (coupled to how dynamic your user population tends to be).
If you have a small number of employees / hosts / devices, and they tend to not be a high turnover group, the shared key ("WPA-PSK" or "WPA-Personal") works ok. It is strongly recommended that you use a fairly long and complex key (you only have to enter it once during configuration of each client).
If your group changes, and / or it's a larger group, then consider using an "Enterprise" authentication, like PEAP, LEAP, or EAP-FAST which can be tied to your domain server / Microsoft authentication credentials by was of a RADIUS server (like Microsoft IAS, which you probably already have available).
Security-wise, completely rule out MAC filtering (useless, easily defeated), non-broadcast SSID (useless, no security impact, creates problems with many MS Windows clients), and anything using static WEP.
TACACS+ is very good for authentication, but may be overkill for your scenario. Cisco ACS and TACACS+ offer a lot of options, but if you don't need all the options, then it's just adding complexity.
It gets easier when you remember that the link security and encryption (WPA, WPA2) are separate from the user authentication (802.1x delivered via userlist, RADIUS, TACACS+ by way of EAP methods).
The Planet3 book for CWNA published by Osborne is an excellent reference and training guide and covers the essentials (and more) of how all of this fits together and common / best practice implementations.