From the hardening guide here: https://support.hpe.com/hpesc/public/docDisplay?docId=a00107216en_us
"RADIUS secrets
The RADIUS protocol provides a weak form of encryption, which uses the RADIUS shared secret as the basis for the
encryption key. Ensure that the RADIUS shared secret is as long and as complex as possible – ArubaOS supports a
maximum length of 63 characters. There is no need for this secret to be memorable by a human, so use a service
such as http://www.random.org/ to generate a truly random string.
An authentication server performing authentication for WPA2 sessions will use the RADIUS protocol to send the
WPA2 Pairwise Master Key (PMK) to an Aruba mobility controller – an attacker intercepting this key would also be
able to monitor and decrypt Wi-Fi traffic over the air. If the link between the RADIUS server and the Aruba device is
trusted (e.g., within the same datacenter) then relying on RADIUS encryption is sufficient. However, if the path
traverses untrusted segments, such as WAN links, RADIUS traffic should be secured inside IPsec tunnels."
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
HPE Design and Deploy Guides:
https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card------------------------------
Original Message:
Sent: May 16, 2024 10:50 AM
From: alexs-nd
Subject: RADIUS Keys - best practices
Hi, in the past I've always ensured that every switch/mobility controller has a uniquely generated shared key. I know that we can define our use of shared keys either unique to a device or fpr example have the same shared key across a given ip address scope e.g. 192/10
So does Aruba have a recommended best practice for RADIUS shared ket assignment ... or is it just a case of "you can do these thinjgs .. .take your pick..."
Rgds
Alex