Obscure RADIUS Bug in AirPort Extreme Base Station
This post is mostly so that if you search on Google for RADIUS or 802.1X bug and AirPort Extreme, you'll find this page that explains the workaround.
RADIUS is an authentication standard that allows user logins. In the Wi-Fi world, RADIUS is typically used as part of 802.1X, another standard that restricts access to a Wi-Fi network until the login is completed. A user needs an 802.1X client--built into Panther and later--with the right security overlay to protect the login. An access point, like the AirPort Extreme Base Station, is configured to hand off the login credentials to a RADIUS server for approval.
In order for the base station to talk to the RADIUS server, they must have a shared secret, entered in both locations. This secret can be quite long. However, the AirPort Extreme Base Station cannot accept a long secret via the AirPort Admin Utility--this is a bug, which I have tried to report to Apple to no avail. It doesn't seem to be fixed after several months and multiple firmware and utility releases.
AirPort Admin Utility won't produce an error on entry but neither will it allow you to update a configuration that contains a too-long shared secret. The solution? Download and use AirPort Management Tool, available on the AirPort support page at Apple.
The tool is designed to allow the group configuration of AirPort Extreme and Express Base Stations, and it doesn't share the bug that prevents entry of the longer secret.