Security

I have an existing SSID that uses WPA2-AES auth/encryption.  I want to setup 802.1x auth, would it be best to set this up on the existing SSID or create a new SSID?  

If I set it on the existing, the devices will not be able to connect until the option in wireless setup for PEAP/EAP is set correct?

You are correct.

You would need a seperate SSID profile that uses WPA2-Enterprise   instead of WPA2-PSK (that you currently have).    The setting in the Aruba Controller's SSID profile of just 'WPA2' would indicate a WPA2-Enterprise network driven in the background using 802.1x.

The "SSID PROFILE" is what is used to set which mode (pre-shared or dynamic) credentials are to be used...in a given WLAN network (SSID) therefore it's one or the other...not both simultaneously.  

When conversions like this happen its common to run the old service and the new service in parallel.   I would recommend the use of Airwave then to run reports per-SSID to see how the users are 'migrating' naturally over to the new network.   

JF

Small point of clarity...

When is said "When conversions like this happen its common to run the old service and the new service in parallel."

I simply mean two SSIDs  on the same network ;-)    one PSK  one 802.1x driven.

JF

Thanks for the input.

Do you now if there is a way to automate the converstion process on the client?  I am assuming we will need to touch each client.

Josh,

The best way would be group policy, but you should test to make sure that a single client works first and then you can deploy the group policy to your clients.

There is an article on Group Policy here http://community.arubanetworks.com/t5/Command-of-the-Day/COTD-How-to-create-a-Wireless-Group-Policy-on-Windows-2008/m-p/11768/highlight/true#M315

Thanks for all the Help!  In about 20 minutes I have it all setup and working on a test SSID!

THANKS FELLOW AIRHEADS!

Josh