Super short answer:
If you want good security without a lot of hassles, use WPA2-Personal, with only the "AES" (also known as "AES-CCMP") cipher enabled.
Short answer:
For your encryption, use WPA2 (no WEP, no WPA) with AES-CCMP (no WEP, no TKIP).
For your authentication mechanism:
- If you want everyone to share one passphrase, use PSK (a.k.a. Personal).
- If you want to set up separate authentication credentials for each user (like usernames and passwords, or public key certificates), then use Enterprise.
Note, though, that most APs can't do Enterprise authentication themselves; you have to set up a separate RADIUS server on your network and point the AP at that server. If this sounds like too much hassle for you, you'll have to stick with PSK.
Don't mess with WEP or original WPA or TKIP unless you have really old 802.11 gear from 13+ years ago that can't do WPA2, and you don't mind weakening or destroying your security for the sake of getting your aging gear onto the network.
As for your key length question, AES, as used by WPA2, always uses 256-bit keys. Whatever passphrase you use gets hashed, and mixed with some other parameters, to generate a 256-bit session key.
The documentation you're referring to is ancient. Most of it was written in 2007.
All modern devices support WPA2; unless you need to support extremely old wireless hardware (i.e, from 2004 or earlier), there's no need to fall back to WPA or WEP. As such, the security mode you probably want is "WPA2-PSK" (the third one on the list), and the default algorithm of CCMP-128 should be fine.
Best Answer
Definitely WPA2 - it replaces WPA and is considered "secure". Use AES (TKIP has flaws) with a pre-shared key; make it > 13 characters and as random/secure as possible. This should pretty much guarantee that no one can get into your home router. Not that anyone ever would want to, though -- there are plenty of unsecured APs out there that they'd use first.
MAC address filtering is basically useless as the MAC is sent unencrypted, so anyone watching packets could wait for a MAC to come along that is authenticated, then spoof that (trivial). It just adds overhead to your management ("I got a new laptop, why can't I get on my wireless? OH gotta add the MAC, D'oh!")
Disabling SSID broadcast is also not really useful as that is also easily derivable by sniffing the wireless traffic. Again, it only adds a bit of headache to when you want to reconnect to your network ("What was my SSID again? Ah right, 'SDFSADF'")
If you can set up a home-based VPN on your system as well, that adds an additional level of security. I set my home wireless router to place wireless users in the DMZ (aka internet) so they cannot access my home network unless further logging in via VPN (another username/password w/login timeouts/resets the cracker would have to defeat). For the near future and against a non-governmental cracker, this is secure. :D