This conceptually has to be done at the RADIUS server and not within HiveOS, unless HiveOS is running its internal RADIUS server, in which case it would be up to Aerohive to implement.
FreeRADIUS has support for this with a backing database. If you do a Web search for this, I am sure that you can find the necessaries.
I have written an extension for Microsoft's Network Policy Server that implements this for the organisation that I work with to, in part, meet this very need. (Tricky due to inner and outer identities, so the need to bind authorisation to subsequent accounting, and the need to perform synchronous replication of state between NPS instances - I went down the PAXOS algorithm route with virtual synchrony for high availability reasons.)
As I wrote it in my own time, I am considering releasing it commercially.
(In the interests of absolute correctness, HiveOS could, conceptually, be extended do this where all RADIUS servers return the inner identity normalised in the User-Name AVP of an Access-Accept, but it would be a layering violation to do so - separation of concerns should apply.)