The current authentication model appears to be "all or nothing".

Requiring that all nodes be taken down and restarted all at once is unacceptable for production environments.

Many systems support an 'opportunistic' security mode for migration purposes. (see postfix re: TLS)

In this mode, the higher security method is used if it is available, but the less secure (backward compatible) mode will be used if the high security mode is unavailable.

This 'opportunistic' setting can be used during migration. (each secondary upgraded, and finally the primary upgraded... no downtime)

After all nodes support security, you can migrate to a 'required' mode to enforce that any new nodes that come up use the now necessary security methods.