Well, after lots of research, playing with an AD server, and getting a demo access point, here's where I finally ended up.
Cisco 1231 APs using WPA2 key management, AES encryption, PEAP authentication to RADIUS on our AD server with MS-CHAP v2, all on their own subnet.
The reason I'm using...