can the access point be configured to do local authentication for 802.11N, or is a radius server necessary?
Correct. This is because WPA2 in and of itself is not really an authentication protocol. For example, if you look at setting up WPA2 Enterprise on a W7 machine, you will see security options that allow you to pick the authentication protocol. Your options in Windows 7 native are SmartCard/Certificate or PEAP (which is one of the flavors of Extensible Authentication Protocol, aka EAP). Here is a screengrab:
Unfortunately, the native EAP options in Windows are not compatible with the native Aironet autonomous EAP options, which are LEAP (older) and EAP-FAST (newer). Both of these EAP methods are Cisco-developed methods. If you want to use local EAP authentication on an AP, I would suggest you go with EAP-FAST. To get EAP-FAST functionality onto your Windows client, you can use the Cisco AnyConnect client with the Network Access Manager (NAM) module. This is what that client looks like, and you can see from the authentication selection list that you now have an option for EAP-FAST (and LEAP):
You would configure WPA2/AES independently, which you do through the security settings -- encryption manager. You need to first enable support for the AES CCMP cipher, and then you need to enable WPA support on your SSID (along with your accepted EAP method).
The link that George provided is a good guide to put all this together. Modify the instructions to use EAP-FAST instead of LEAP, configure an AES CCMP cipher instead of WEP, and set your SSID to accept Open with EAP + Network EAP and also WPAv2.