There are so many flexible 802.1X authentication type support, including Extensible Authentication Protocol Transport Layer Security (EAP-TLS), Protected EAP (PEAP), Cisco LEAP, EAP-Flexible Authentication via Secure Tunneling (EAP-FAST), and EAP-Message Digest Algorithm 5 (EAP-MD5).
Certificate is just an additional level of security. It is not the only level of security available. So, I believe all the above methods can provide authentication without requiring any additional level of certficate.
You can use MS Cert Services to generate an SSL cert for the clients and the ACS box to use. The best bit is that you can use Group Policies to deploy the cert and the WLAN SSID settings to the clients but this will only work if you use the built-in XP client (SP2 is a must) and PEAP security. Cisco do a pretty good how to:
Your main constrainer, is that you want to use XP Zero. In order for this to work "properly" (I've deployed it some places improperly against my recommendations), you NEED certificates. "wbrowne" is correct, and you'll need 2003 Enterprise server to make the certifcate deployment managable. I'd aim to use PEAP(EAP-TLS) with machine authentication if I were you, and run WPA2/AES on the radio if all your client device adapters will handle it.