Are you working with a fixed set of users? or will there be guests or a significant number of transient users?
Are any of the hosts wireless VoIP phones?
Do you have other security resources on this network (i.e., Certificate services, MS Domains)?
Do you have any other security needs that will share the ACS/RADIUS services (like VPNs or 802.1x port security)?
The range of security available for wireless can be as simple as "just use pre-shared keys and WPA2" to full-boat implementation of EAP-TLS, where each host gets a certificate and authenticates against the CA and the Microsoft AD.
As a standalone system, nearly anything will do within the window between how secure you need the system to be weighed against how much pain you're willing to inflict on your users to get it.
In the context of using the same AAA resources to feed wireless, VPN, console access, etc., then you must first narrow the field to a security type that all will support, then decide how much administrative burden you can handle, how much grief the users will endure, and so an.
If you're not sure on any of the above, this would be a good time to enlist the services of a good contractor/VAR/consultant that can look over your entire setup and make a specific recommendation.
You would more than likely want to use WPA2-Enterprise for your permanent users, you will get the advantage of machine authentication (802.1x) and the process is seamless to the end user. For guest access there are a couple of options, you can use a lobby admin account and use webauth (seems easier to manage) and it a lot more secure than a PSK.