AP as RADIUS: shared secret for use with other vendor Access Point?

  • 1
  • Question
  • Updated 4 years ago
  • Answered
  • (Edited)
I have a known-good working setup with Aerohive AP as RADIUS primary in my network, works perfect with Aerohive AP's to authenticate supplicants of all types.
I am aware that Aerohive documentation for an Aerohive AP as RADIUS server notes that "When authenticating with an Aerohive RADIUS server in the same hive, a shared secret is automatically generated."  No problems with Aerohive AP using Aerohive AP as RADIUS.

I’d like to allow other vendor AP's to use the Aerohive RADIUS, such as a few test-bed Apple Airports, and allow me to authenticate via the known-good Aerohive as RADIUS user database (local).  Unfortunately, since the Aerohive as RADIUS shared secret is not exposed in the Hivemanger or on the AP as RADIUS, how can I re-use or extract the shared secret for use on other vendor's Access Point?

Before I even attempted to incorporate non-Aerohive AP's, I tried to set a known manually generated shared secret with sufficient complexity and 26 character length on the Aerohive as RADIUS.  I pushed a full config to all Aerohive APs and Aerohive as RADIUS, but unfortunately, does not appear supported: none of the supplicants can authenticate, seems that Aerohive AP's are not happy with a manually generated shared secret:

2014-09-24 06:17:14 err     radiusd[2711]: Received packet from x.x.x.x with invalid Message-Authenticator!  (Shared secret is incorrect.) Dropping packet without response.

Removing the known manually generated shared secret from the config (leave it blank to auto generate), and pushing a full config to all AP's and AP as RADIUS works perfectly as before, but only with Aerohive AP's passing authentication info to the Aerohive as RADIUS.

2014-09-24 06:19:20 info    radiusd[2711]: RADIUS: The RADIUS server accepted user 'tg-tablet-03' through the NAS at x.x.x.x.

If I cannot set the shared secret to a known value, then am I correct to assume that Aerohive as RADIUS automatically generated shared secret is not available to "share" with other vendor access points?  Is there a workaround to allow non-Aerohive AP's to use the shared secret?
Photo of shoremedia


  • 22 Posts
  • 4 Reply Likes

Posted 4 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
This seems like a rather bad idea as what the shared secret happens to be is a private implementation detail. A bit like a programmer using an undocumented API, there is no contract that anything will stay working so it should be avoided unless it is a dependency you absolutely have to take. In this case, the secret could stay the same, it could change.

Without it being officially supported, it is not something I would use in production outside of a lab setting where I was playing around to scratch an itch out of curiosity. In a multi-vendor environment, I would definitely recommend using dedicated RADIUS infrastructure.
Photo of Manoah Coenraad

Manoah Coenraad, Champ

  • 72 Posts
  • 67 Reply Likes
Maybe you can  try the Radius client/NAS settings under the Aerohive AAA Server Settings.
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
RADIUS permits separate shared secrets per client. Leave the Aerohive devices alone and let them derive their own shared secrets.

Navigate to Configuration, then in the menu to the left select Aerohive AAA Server Settings, select your RADIUS setup, then open the RADIUS Client/NAS settings and add the IP addresses of your third-party clients and their desired shared secrets.

Photo of shoremedia


  • 22 Posts
  • 4 Reply Likes
Thanks, I'll give that a try!
Photo of shoremedia


  • 22 Posts
  • 4 Reply Likes
As a follow-up, adding a RADIUS Client/NAS worked perfectly.  I successfully added a few of our internal-testing-only RADIUS Client/NAS devices (such as an Apple Airport Base Station), each with their own separate shared secret. 
I confirmed that the Aerohive to Aerohive as RADIUS authentication (via their own auto-generated shared secret) was unaffected.
Thanks again for the RADIUS Client/NAS settings suggestion Mike & Manoah.