I have very limited experience with wirless. We just purchased the 1142 AP. No need to have a WLC right now. I have it up and running with TKIP-WPA2 just fine. That's about where I stop. I was looking at the Windows 2008 R2 server this morning trying to figure out how to perform some sort of authentication.
What is the best option for securing the network on an autonomous ap? Is it best practice to not broadcast the ssid even if I'm using 802.1x for authentication? How should I configure encryption? I'd like to authenticate company owned devices by MAC, but allow for guest access if authentication fails. The guest vlan is a layer 2 vlan that defaults to the external firewall. I do have a radius server as a resource. Am I on the right track? Is there a good document out there that explains how to "easily" (kind of relative there I know) set up a radius server on Windows 2008 R2 to work with the AP1142?
For the internal devices you should go with WPA2/AES/802.1x (PEAP) only need the server side certificate.
As for BYOD, I'd leave that ssid open, but put them on a VLAN that can only reach the Internet.
I have seen customers that do a PSK for the guest network, but I don't see the need myself.
Now if they want to bring their BYOD onto your network then you should look into a MDM solution so that you have some control over them.
Sent from Cisco Technical Support iPhone App
A few items you might want to consider to add to your list:
1 - VLAN segmentation: You would want to truck at the swicth port, then add and bridge on the access point the multi vlans you will want to carry; exmaple you mentioned guest and production
2 - Turning off the SSID is little to no real protection. Some wireless clients will have issues if its NOT broadcasted
3 - TKIP/WPA2 -- I might suggest sticking with the standard WPA/TKIP or WPA2/AES.
4 - Not a fan of MAC auth only becuase its a pain in the butt
Basic Wireless Access Point Config Example
EAP Auth With Radius Server
Peap / IAS
Youtube Video on PEAP and IAS