Doing an EAP method via 802.1x is going to be stronger than a VPN is, at least for wireless. VPNs only protect your unicast data, not your wlan or broadcast data....there are several other drawbacks to vpn for wireless.
Create multiple SSID-VLAN mappings: one for EAP-capable devices, and others for less secure devices like the Spectralinks. This way you can let more-capable devices do better security, and the phones will do static WEP. Set up ACLs to restrict what devices coming in on the phone ssid-vlan can get to to just the spectralink gateway and you should be good.
It's probably best to set the spectralink gateway on the same vlan as the phones, and only let the server off the net (assuming it needs to talk to a Call Manager or something). Otherwise if it's just interfacing to your PBX, don't let anything of that vlan.