What is the difference between PSK and 802.1X Wi-Fi authentication?

PSK (Pre-Shared Key) uses a single password shared by all users on a network. If one person shares the password or a device is compromised, every device on the network is exposed. 802.1X authenticates each user or device individually against a RADIUS server using unique credentials - username/password or certificates - so access can be granted, revoked, and audited per person or device.

Can I run PSK and 802.1X simultaneously during migration?

Yes, running both SSIDs in parallel is the recommended migration approach. Create a new 802.1X-secured SSID alongside the existing PSK network. Migrate users in waves, then decommission the PSK SSID once migration is complete. This avoids a disruptive cutover and gives users time to configure their devices.

How do I handle devices that don't support 802.1X?

Legacy devices like older printers, IoT sensors, and some conferencing equipment may not support 802.1X. Place these on a dedicated VLAN with MAC authentication (MAB) as a fallback, apply strict firewall rules to limit their access, and plan for replacement when possible. Never keep the entire network on PSK just because a few devices can't do 802.1X.

Should I use EAP-PEAP or EAP-TLS for 802.1X?

EAP-PEAP uses username and password credentials and works on any device without pre-configuration, making it easier to deploy. EAP-TLS uses certificates and is significantly more secure since credentials can't be phished or shared. Most organizations start with EAP-PEAP for quick migration, then graduate managed devices to EAP-TLS certificates over time.

Back to Blog

Security February 10, 2026 16 min read

From PSK to 802.1X: A Practical Migration Playbook

Your shared Wi-Fi password is your network's weakest link. Here's a battle-tested, phased approach to migrating enterprise wireless from PSK to 802.1X without bringing the building to a standstill.

Here's something most network teams already know but haven't gotten around to fixing: the shared Wi-Fi password taped to the conference room wall is a security liability. Everyone who's ever worked at your company, visited your office, or glanced at that sticky note has the keys to your corporate network.

PSK (Pre-Shared Key) was fine when wireless meant a single access point in the server room closet. But in 2026, enterprise networks carry sensitive data, connect hundreds of devices, and are subject to compliance requirements that a shared password simply can't satisfy. The fix is 802.1X - individual authentication for every device and user on your network.

The problem isn't knowing that 802.1X is better. The problem is getting there without disrupting the organization. That's what this playbook covers: a phased, practical migration plan that moves you from shared passwords to per-user authentication while keeping everyone connected.

Why Should You Migrate Away from PSK?

Before diving into the migration plan, let's be specific about what PSK gets wrong. This isn't theoretical - these are real operational problems that get worse as your organization grows.

The PSK Problem List

No individual accountability. Every device shares the same credential. When something goes wrong, there's no way to trace it to a specific user or device.
Revocation is all-or-nothing. When an employee leaves, the only way to revoke their access is to change the password for everyone. Most organizations just... don't.
No per-user policies. You can't put the marketing team on one VLAN and engineering on another when everyone authenticates with the same password.
Credential sprawl. That password ends up in emails, on whiteboards, in onboarding documents. You lose control of it the day you set it.
Compliance gaps. Standards like PCI-DSS, HIPAA, and SOC 2 require individual access controls and audit trails. PSK provides neither.

With 802.1X, every connection is authenticated against a RADIUS server using individual credentials. You know exactly who's on the network, you can revoke access per-person, you can route users to specific VLANs based on their role, and you have a full audit trail. For the full security case, see our article on why modern Wi-Fi should be certificate-based.

How Do You Choose the Right EAP Method?

802.1X is a framework, not a single protocol. You need to pick an EAP (Extensible Authentication Protocol) method that determines how credentials are verified. The two that matter for most enterprise deployments:

Aspect	EAP-PEAP (Passwords)	EAP-TLS (Certificates)
Credential type	Username + password	Client certificate
Phishing risk	Passwords can be phished or shared	Certificates can't be phished
User experience	Users enter credentials once	Fully transparent after initial enrollment
Device setup	Works on any device, no pre-config needed	Requires certificate provisioning (MDM or SCEP)
BYOD support	Easy - users enter their directory credentials	Harder - requires enrollment workflow
Revocation speed	Disable user in directory	Revoke certificate for instant denial
Ideal for	Quick migration, BYOD, mixed environments	Maximum security, managed device fleets

The pragmatic approach: Start with EAP-PEAP for the initial migration. It uses the directory credentials people already have, works on unmanaged devices, and doesn't require certificate infrastructure. In 2026, most organizations follow this path: once 802.1X is working and stable, graduate managed devices to EAP-TLS certificates for stronger security. More on the certificate path in our certificate-based authentication guide.

What Should You Do Before Migration?

Don't touch a single access point until you've nailed the infrastructure underneath it. A failed migration attempt trains users to distrust the process - and makes the next attempt harder.

Step 1: Audit Your Current State

You need to know what you're migrating before you can build a plan.

Inventory connected devices: How many? What types? Pull MAC address tables, DHCP leases, and AP association logs. Categorize into managed laptops, BYOD phones, IoT devices, printers, conferencing equipment, and anything else.
Identify the outliers: Which devices can't do 802.1X? Older printers, IoT sensors, and legacy equipment may only support PSK or no authentication at all. These need a separate plan.
Map your SSIDs: How many wireless networks do you have? What purpose does each serve? Is the corporate network on PSK? Is there a separate guest network?
Document your identity stack: Where do user accounts live? Active Directory, Azure AD, Google Workspace, Okta? The RADIUS server needs to validate credentials against this directory.

Step 2: Deploy RADIUS Infrastructure

RADIUS is the decision engine. Access points forward authentication requests to RADIUS, which validates credentials against your identity provider and returns access policies (accept/reject, VLAN assignment, session limits).

RADIUS Deployment Options

Cloud RADIUS (recommended for most): Services like IronWiFi provide RADIUS that integrates with Azure AD, Google Workspace, Okta, and Active Directory without managing servers. Built-in redundancy, automatic failover, and no patching.
On-premises RADIUS: Microsoft NPS (Windows Server), FreeRADIUS, or Cisco ISE. Full control but requires server management, high availability planning, and ongoing maintenance.
Hybrid: Cloud RADIUS as primary with on-premises backup, or vice versa. Good for organizations with strict data residency requirements.

Whichever option you choose, deploy it early and test it thoroughly before any user migration begins. RADIUS becomes critical infrastructure the moment your first user connects via 802.1X - treat it accordingly.

Step 3: Configure Access Points

Create a new SSID for 802.1X authentication. This is crucial: don't modify your existing PSK SSID. You want both running in parallel during migration.

The AP configuration is straightforward regardless of vendor:

Create a new SSID (e.g., "CorpSecure" or your company name)
Set security mode to WPA2-Enterprise or WPA3-Enterprise
Point the RADIUS server to your new RADIUS infrastructure (primary + secondary)
Configure dynamic VLAN assignment if your RADIUS returns VLAN attributes
Set a reasonable RADIUS timeout (5-10 seconds) and retry count (3)

Test with a handful of IT team devices before announcing anything to the broader organization.

Step 4: Plan Your VLAN Architecture

One of the biggest advantages of 802.1X is identity-based network segmentation. RADIUS can return VLAN attributes based on who's connecting, automatically placing users in the right network segment.

A common starting architecture:

VLAN	Purpose	Access Level
Corporate	Managed laptops, domain-joined devices	Full internal resources, internet
BYOD	Personal phones and tablets	Email, collaboration apps, internet only
IoT / Devices	Printers, sensors, displays, cameras	Specific services only, no lateral movement
Guest	Visitors, temporary users	Internet only, isolated from internal
Quarantine	Failed or unknown devices	Remediation portal only

You don't have to implement all of this on day one. Start with a single VLAN for 802.1X users and add segmentation as the migration matures. The point is that 802.1X enables this - PSK never could.

How Should You Phase the Migration Rollout?

Big-bang cutovers fail. Phased rollouts let you catch issues early, build support desk familiarity, and adjust your approach based on real feedback.

Phase 1: IT and Early Adopters (Week 1-2)

Your IT team goes first. They'll encounter every configuration edge case before regular users do, and they'll build the troubleshooting knowledge needed to support the broader rollout.

Migrate IT devices: Connect all IT team laptops and phones to the new 802.1X SSID. Document every issue encountered.
Build support documentation: Write connection guides for each OS: Windows, macOS, iOS, Android, ChromeOS. Include screenshots. Make them simple enough that users can self-serve.
Establish the support workflow: How do users get help? Self-service portal? Helpdesk ticket? Walk-up support? Decide now, before the flood.
Recruit champions: Identify tech-savvy people in each department who can help colleagues. They reduce helpdesk load dramatically.

Phase 2: Department-by-Department (Week 3-6)

Roll out to one department at a time. Start with a technically capable group (engineering, product) and work toward less technical teams.

Announce in advance: Give each department a week's notice. Explain what's changing, why, and where to get help. Send the connection guides.
Offer hands-on support: For the first wave, have IT available in-person during the switch. Even 30 minutes of walk-around support prevents dozens of helpdesk tickets.
Keep PSK running: The old SSID stays active as a fallback. If someone can't connect to the new network, they're not dead in the water. This is temporary, not permanent.
Track progress: Monitor RADIUS logs for connection successes and failures. Track how many devices have migrated versus how many remain on PSK. Set targets for each wave.

MDM Makes This Easier

If you have a mobile device management solution (Intune, Jamf, Workspace ONE, Mosyle), use it to push the 802.1X Wi-Fi profile to managed devices automatically. Users don't have to configure anything - the next time their device reconnects, it joins the new network seamlessly. This alone can migrate 60-80% of your fleet without user interaction.

Phase 3: Stragglers and Edge Cases (Week 7-8)

The last 10-20% is always the hardest. This is where legacy devices, forgotten equipment, and the "I'll do it later" crowd live.

Set a firm PSK decommission date: Announce it organization-wide with at least two weeks' notice. No password lasts forever, and neither should your legacy SSID.
Handle legacy devices: Move printers, IoT sensors, and other 802.1X-incapable devices to a dedicated SSID with MAC Authentication Bypass (MAB) on an isolated VLAN. Apply strict firewall rules. See our IoT security guide for detailed segmentation strategies.
Decommission the PSK SSID: Once migration targets are met and legacy devices have a home, shut down the old network. Don't leave it "just in case" - a lingering PSK SSID undermines everything you've built.

Don't Skip the Decommission

The most common migration failure isn't technical - it's organizational. Teams leave the PSK SSID running "temporarily" and it becomes permanent. Set a date, communicate it, stick to it. If users can fall back to PSK, many will, and your migration will stall at 70%.

How Do You Handle Legacy Devices and Edge Cases?

BYOD Devices

Personal devices are the biggest migration friction point. You can't push MDM profiles to them, and employees are justifiably cautious about installing anything corporate on their personal phones.

Options for BYOD:

EAP-PEAP with directory credentials: Users enter their work username and password. Works on every platform, no special configuration needed.
Dedicated BYOD SSID: A separate 802.1X network that places personal devices on a restricted VLAN with limited access (email, collaboration tools, internet).
Onboarding portal: A web-based enrollment workflow that guides users through connecting their personal device, potentially provisioning a certificate for seamless future connections.

The key principle: BYOD users should never get the same network access as managed corporate devices. 802.1X with dynamic VLAN assignment makes this distinction automatic.

Legacy and IoT Devices

Some devices simply can't speak 802.1X. Old printers, building management systems, security cameras, and specialized IoT equipment often support PSK at best.

The strategy:

Move them to a dedicated SSID with MAC Authentication Bypass (MAB)
Place them on an isolated VLAN with strict access controls
Whitelist only known MAC addresses (and know that MAC addresses can be spoofed)
Apply destination-based firewall rules: these devices should only reach the specific services they need
Monitor traffic from these segments more aggressively than authenticated segments

Never keep the entire organization on PSK because 15 printers can't do 802.1X. Isolate the exceptions; secure the majority.

Multi-Site Rollout

If you have multiple offices, start with your headquarters or largest site. Refine the playbook, then replicate to remote sites. Cloud RADIUS services help here - no need to deploy RADIUS servers at every location. Remote APs authenticate against the same cloud RADIUS, applying consistent policies everywhere.

After Migration: What's Next

Getting off PSK is a milestone, not the finish line. Once 802.1X is stable, there's a natural progression of improvements to consider.

Graduate to Certificate-Based Authentication

EAP-PEAP with passwords is a massive improvement over PSK, but certificates (EAP-TLS (RFC 5216)) are the end goal for managed devices. Certificates can't be phished, shared, or guessed. They enable true device-level authentication - the machine itself is verified, not just the human typing a password.

Use SCEP (Simple Certificate Enrollment Protocol) or your MDM to push certificates to managed devices. The transition from EAP-PEAP to EAP-TLS can be seamless if managed through device profiles - users don't even notice the change.

Implement Conditional Access Policies

With identity-based authentication in place, you can layer on richer access decisions:

Require MFA for sensitive resource access
Check device compliance before granting full access
Restrict access based on time, location, or device health
Dynamically adjust VLAN assignment based on posture

This is where 802.1X becomes a foundation for Zero Trust wireless architecture - a topic we cover in depth in its own guide.

Monitoring and Continuous Improvement

Track these metrics to measure the health of your 802.1X deployment:

Authentication success rate: Should be above 99% after stabilization. Investigate persistent failures.
Average authentication time: Should be under 2 seconds for EAP-PEAP, under 1 second for EAP-TLS. Slow auth often indicates RADIUS performance issues.
Certificate expiration forecast: If using EAP-TLS, monitor certificate lifetimes and automate renewal before expiry causes outages.
Rogue device detection: Monitor for unknown MAC addresses attempting MAB on your IoT VLAN.
PSK remnants: Verify no PSK SSIDs are still broadcasting. Audit regularly.

Ready to Start Your Migration?

IronWiFi provides cloud RADIUS that integrates with Azure AD, Google Workspace, Okta, and Active Directory out of the box. Deploy 802.1X authentication with dynamic VLAN assignment without managing RADIUS servers or worrying about high availability.

Explore WPA-Enterprise Talk to an Expert

Trusted by 1,000+ organizations in 108 countries

What Should Your Migration Checklist Include?

Here's the condensed version. Print it, pin it to the wall, check off items as you go.

Audit: Inventory all devices, identify 802.1X-incapable equipment, map SSIDs, document identity provider.
RADIUS: Deploy and test RADIUS infrastructure. Verify integration with identity provider. Confirm high availability.
SSID: Create new 802.1X SSID alongside existing PSK. Configure RADIUS pointing, VLAN assignment, timeouts.
Test: IT team migrates first. Document issues and build support guides for all platforms.
MDM push: Deploy 802.1X Wi-Fi profiles to managed devices via MDM. Track adoption.
Rollout: Migrate departments in waves. Provide hands-on support for early waves. Track progress.
Legacy plan: Move 802.1X-incapable devices to MAB on isolated VLAN with strict firewall rules.
Decommission: Set firm date. Communicate widely. Shut down PSK SSID. Verify no remnants.
Harden: Graduate managed devices from EAP-PEAP to EAP-TLS. Implement conditional access. Monitor continuously.

Is the Migration to 802.1X Worth It?

As of 2026, migrating from PSK to 802.1X is the single most impactful security improvement you can make to your wireless network. It gives you individual accountability, granular access control, compliance-grade audit trails, and the foundation for every advanced security capability that follows.

The migration itself isn't technically difficult - it's operationally demanding. The difference between success and a stalled project is planning, communication, and commitment to decommissioning the old PSK network. Run both in parallel, migrate in waves, handle edge cases with purpose, and set a firm end date.

Your shared password served its purpose. It's time to move on.

Tags: 802.1X WPA-Enterprise PSK RADIUS Migration Wi-Fi Security EAP-TLS EAP-PEAP Enterprise Wi-Fi