What is the difference between WPA2-Personal (PSK) and WPA2-Enterprise (802.1X), and when do you use each?
Personal uses a single pre-shared key (password) for everyone — simple but no per-user accountability. Enterprise uses a RADIUS server with individual credentials per user — scalable, auditable, and the standard for corporate networks.
* WPA2-Personal PSK vs Enterprise 802.1X/RADIUS. *
| Feature | WPA2-Personal (PSK) | WPA2-Enterprise (802.1X) |
|---|---|---|
| Authentication | Single shared password for all users | Individual username/password or certificate per user |
| Server required | No — just configure password on AP | Yes — RADIUS server (e.g., Cisco ISE, FreeRADIUS) |
| Per-user keys | No — everyone derives keys from the same PSK | Yes — unique session keys per user |
| User accountability | None — can't tell who is who | Full — logged per-user |
| Revocation | Must change password for everyone | Disable one account |
| Complexity | Simple | Requires RADIUS infrastructure |
| Best for | Home, small office | Enterprise, campus, regulated environments |
802.1X components in Enterprise mode:
- Supplicant: Client software (built into most OSes)
- Authenticator: The AP — controls access to the wireless network
- Authentication Server: RADIUS server that validates credentials
RADIUS server configuration on the WLC:
- RADIUS server IP address
- UDP port numbers: 1812 (authentication), 1813 (accounting)
- Shared secret key between AP/WLC and RADIUS server
Tip: In personal mode, if one employee leaves and you change the Wi-Fi password, every device in the office needs the new password. In enterprise mode, you just disable that one account. This alone makes enterprise mode essential for any organization with more than ~10 users.
Go deeper:
IEEE 802.1X (Wikipedia) — the supplicant/authenticator/authentication-server model behind Enterprise per-user auth.
RADIUS (Wikipedia) — the AAA server Enterprise relies on (ports 1812/1813, shared secret).