I believe that WPA was the original WPA standard, and WPA2 was an improved version of it. Some network cards can’t connect to WPA2 networks. From the Wikipedia page on WPA:
The later WPA2 certification mark indicates compliance with the full IEEE 802.11i standard. This advanced protocol will not work with some older network cards.
The Wikipedia article cites a white paper from the Wi-Fi Alliance:
WPA is both forward and backward-compatible and is designed to run on existing Wi-Fi devices as a software download.
In a nutshell, a WPA/WPA2 network will any network card that supports WPA or WPA2 to connect to it; whereas a WPA2 only network locks out network cards that only support the newer standard. I don’t think there’s any meaningful difference in the security.
FWIW, I’ve used WPA2 Personal on my Airport Extreme since I bought it, and no device has ever had problems connecting.
Confession: I initially misread the question as being about the difference between Personal and Enterprise, and wrote this. Although not directly answering the question, I include it for interest.
“Personal” and “Enterprise” just refer to the two flavours of WPA and WPA2. From the Wi-fi Alliance’s page on WPA2:
WPA2 can be enabled in two versions - WPA2 Personal and WPA2 Enterprise. WPA2 - Personal protects unauthorized network access by utilizing a set-up password. WPA2 - Enterprise verifies network users through a server. WPA2 is backward compatible with WPA.
I believe that WPA and WPA2 both come in these two flavours, hence the either/or. Personal is more suitable for a home network, but it’s less secure than enterprise. Enterprise connects to a “RADIUS server” for authentication. I don’t know what that is, but it sounds clever and secure.
I’d guess that a device connecting to your Time Capsule just sees a request for a WPA2 password, hence why it doesn’t ask you for a WPA2 Personal password.
Okay so I figured it out myself. Apple provides a configuration utility for configuring WiFi and some other settings.
For Windows - http://support.apple.com/kb/DL1466
For Mac - http://support.apple.com/kb/DL1465
I created a configuration profile using it and entered the WiFi settings there -
Security Type - WPA/WPA2 Enterprise
Protocols
EAP Types - TTLS
Inner Identity - PAP
Authentication
Username - yourusername
Password - yourpassword
I then emailed this configuration profile to myself and opened it from my iPad and it worked.
Best Answer
So, it turns out that Loin supports iOS-style .mobileConfig profiles, so the answer is "distribute mobileConfig files like the macbook is an iPad."
I can't claim to have figured this out. The story went more like:
Helpdesk Guy: hey, the CEO just called me, can someone get his mac on the wifi now?
Me: Yeah, I'm in the office still, where is he?
Sysadmin Guy: Dude, you don't need to visit him, just send him the iOS mobile config file we use for the iPads.
Me: What? That works?
Sysadmin Guy: Yeah, it does you PC loving doofus
Me: [tests, it does open a newfangled window and holy smokes my mac has enterprise wifi] Wow, that does work, let me email this to the CEO.
Anyhow, I did a little looking around for documentation. I did find some verification that other people are doing this, and I also found this apple training doc which might be what you are looking for.