Multiple SSIDs and VLANs
Another option for administrators is to configure multiple SSIDs and/or VLANs for non802.1X clients if the access points and switches support these functionalities. The most basic approach would be to create a separate virtual SSID configured with the Personal (PSK) mode of WPA or WPA2 security. Then to segregate this less-secure wireless network, you could assign this SSID to another VLAN from the main network. Thus if the PSK passphrase is compromised and access is gained by unauthorized users, damage would be minimal.
You should check if your RADIUS server and switches support guest VLANs and/or failed authentication VLANs. These features could be used to automatically allow non802.1X clients network access, but to a particular VLAN that could be segregated from the main one.