Hi Isak,
If you want WPA-Enterprise grade security, you necessarily require a RADIUS service (as per standard).
The RADIUS server may or may not be embedded in the Wireless LAN Controller.
If you want to use the integrated RADIUS server in the Wireless LAN controller, you will have to decide which type of authentication mechanism you want to use.
PEAP is popular but has inherent vulnerabilities. If you want to use the integrated RADIUS server, you may also have to unencrypt or use symmetric encryption for you Active Directory user passwords (which is usually not desired).
Even if this is a very simple network, you may want to consider deploying digital certificates and use EAP-TLS for your users using either the Microsoft CA service or simply TinyCA (Linux). Then you may use the integrated RADIUS server coupled with the OCSP responder to validate client's certificate.
However, this might be an overkill solution for 30 employees. You'll probably prefer using the WPA-PSK and change the Passphrase quartely.
Best regards,