I have a customer that must perform a LEAP to PEAP migration. The good thing is that all of the back end authentication is SecureACS, so it can do both. We're using a 4404 WLC with approx. 25 APs. The customer doesn't have centralized management for the clients, so there's no clear upgrade and/or migration path. As laptops come in to the company's repair center, they'll have the profile changed. With that having been said, I have created two different profiles with the same SSID name, but with the security settings for LEAP on one and PEAP on the other. Since the clients only have LEAP or PEAP configured, not both, should this work? I have errors on some of the clients, but it's not clear as to whether or not my config is to blame. The two SSIDs collapse to the same VLAN - will I really see any improvement by placing the users on different VLANs? Or is the recommended practice two different SSIDs and VLANs all-together? Of course I've seen documentation on the latter, and it would seem that no one has considered the rather unusual constraints of my customer in so much that they don't have a clear cut-over procedure in place (making the two SSID/VLAN approach a no brainer). I guess I'd like a general consensus as to whether or not it's appropriate for me to demand the recommended hard cut-over since my customer is very reluctant to put forth the effort to do so.