There seem to be several points of confusion.
First, WPA/WPA2 Enterprise *is* 802.1x.
Certificates are more of a microsoft thing, and are not part of the 802.1x specification (download a copy from
http://standards.ieee.org/getieee802/download/802.1X-2004.pdf by choosing a user type from the picklist and agreeing to IEEE's terms). You can disable the client-side certificates in windows by choosing PEAP in the EAP-type picklist of the network's Properties on the Authentication tab; disable checking the server's certificate by clicking the Properties button right below that picklist and UNchecking the 'validate server certificate' box at the top of the PEAP properties dialog. Server certificates DO help prevent fake RADIUS servers from phishing names and passwords out of wireless clients, though, so don't think they're a 'bad' thing.
Second, you're not separating authentication (802.1x versus Pre-Shared Key) and encryption (RC4 versus AES).
The original WEP used 40-bit RC4 encryption (5-byte passphrase + 3-byte constant added by each side; the 3-byte constant was as unique as it could be for 16 million possibilites, but did not ever change), because 40-bit encryption was the strongest allowed to be exported from the USA at the time WEP was invented. Fortunately for privacy advocates everywhere Phil Zimmerman gave us PGP via the 1st amendment end-around and by the time the government dropped the case against him in 2000, the weaknesses of WEP's RC4 implementation had been exposed and people were working on something better. WEP can be cracked, using freely available software, in 10 minutes or less if there is traffic to observe and you have an adapter+driver that can capture raw packets; 5 minutes or less if you have an adapter+driver combination that can do injection. Mainly because the passphrase is included in every packet and it never changes (except when you manually change it in the router/AP).
WPA-TKIP (Temporal Key Integrity Protocol) is really WEP with a passphrase that changes immediately after authentication, then every so many seconds (3600, or 1 hour, is the default... some router/AP firmware allows you to change that value), according to vectors that are computed with the passphrase plus a number used once (NONCE) at authentication. Hackers can capture data exchanged (requires only an adapter+driver that can capture raw packets), assemble them then decrypt up to an hour's worth at their leisure offline, using the same tools that can crack WEP in real time... the only restriction is every time the passphrase changes, they have to redo the decryption/crack. So your data is not secure (unless it's also encrypted with SSL/VPN inside the WPA-TKIP wrapper), but they cannot reverse-engineer the decrypted passphrases to figure out the prior password[s] so your connection is secure. Some router/AP firmware routines added AES encryption to the mix, but that's not part of the official WPA spec, so there's no guarantee a client will support that feature.
WPA2-AES (Advanced Encryption Standard) uses the passphrase + NONCE authentication, and AES is part of the specification as well. AES is one of the strongest encryption methods in use today. It is approved by the NIST for government communications, which should testify to its strength. In addition, WPA2 does NOT include the encrypted passphrase in every packet, so even captured data packets are considered secure.
So, you can have 802.1x *or* PSK authentication combined with WEP, TKIP (both RC4) *or* AES encryption.
Does that address all of your questions?
