Without being too subtle, You've mis-understood much of the research you've read. Don't worry about it, there is quite a bit of contradictory information out there.
There's quite a bit of background information, so it'll be a little bit before I mention FreeRADIUS. First. It's WPA, not WAP. (Different fields of technology) Forget much of what you've read. First, This is what you have been doing. Its called MAC filtering. The AP will only talk to MAC's that it has in it's table. In short, this is useless, since if I wanted to get on, I'd just fire up a packet sniffer. (They're free and easy to get. http://www.wireshark.org/ for example) Copy some poor souls MAC address, and I'm on. It's an administrative nightmare. You should not do this. A second form of this, is to load all the MAC addresses into a radius server, then the AP will interrogate Radius to find out if it's on it's allow list. This is as useless as the way your doing it now, because I can still easily copy your MAC address. You should not do this either. Second: You mention 802.1x with WEP. You do not enter WEP keys at all, the RADIUS server takes care of it. This is a standard way of doing wireless. However I'd highly recommend you DO NOT pursue this, as it's very insecure, and has been replaced by WPA. All the benefits of doing this apply to WPA. But you can do this if you want, but I'd suggest not to. Third Now we're on to WPA. This is what you should implement. WPA comes in two forms. WPA and WPA2 The primary difference is the WPA was designed as a interim protocol, with backward compatibility in mind. WPA2 was designed to be run on new hardware, and uses AES encryption. If you are setting a new network up, just use WPA2. Both WPA and WPA2 come in two forms. PSK and Enterprise PSK (or Pre-Shared Key) is what you mentioned. You load a secret key onto all your AP's, and then put the same key on all your users machines. It's designed for HOME Use. You do NOT want to use this form. Enterprise is what you WANT to use. You have all your usernames and passwords stored in a database. (Be it SQL, ActiveDirctory, LDAP, etc) This is where FreeRADIUS comes in. You configure all your AP's to use RADIUS, and give it the radius IP. You configure RADIUS to perform either TTLS and/or PEAP. (This is site specific, you need to decide your backend database to determine which one you can use) You configure your client to use TTLS or PEAP, and upon connecting to the network, they will be prompted to enter username and password. If they don't have one, they don't get on. If they do have one, they get on. Now we're at RADIUS. What type of user database do you have? Activedirectory? Novell? No having one is an acceptable answer as well. Post back, it's a lot of info, but we're here to help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html