Realm: candi.nhs.uk Full

candi.nhs.uk/ORPS: candi-nhs-uk-0

candi.nhs.uk/candi-nhs-uk-0/NRPS: roaming0.govroam.uk (212.219.190.139) - Dropping Auth Requests /

candi.nhs.uk/candi-nhs-uk-0/roaming0.govroam.uk/ Ping

Output: PING OK - Packet loss = 0%, RTA = 6.32 ms
Last State Change: Tue Dec 2 09:02:57 2025
Last Check: Sat Jan 17 04:12:50 2026
Next Check: Sat Jan 17 04:22:48 2026

candi.nhs.uk/candi-nhs-uk-0/roaming0.govroam.uk/ RADIUS Port

Output: OK: Port 1812 is probably open, unless there's a DROP firewall
Last State Change: Tue Dec 2 08:59:24 2025
Last Check: Sat Jan 17 04:09:23 2026
Next Check: Sat Jan 17 04:19:23 2026

candi.nhs.uk/candi-nhs-uk-0/roaming0.govroam.uk/ Server Shared Secret

Output: OK: Good shared secret over last day
Last State Change: Tue Dec 2 09:02:27 2025
Last Check: Sat Jan 17 04:12:27 2026
Next Check: Sat Jan 17 04:22:26 2026

candi.nhs.uk/candi-nhs-uk-0/roaming0.govroam.uk/ Simple Authentication

Output: OK: Return code is as expected, Access-Reject
Last State Change: Fri Dec 5 16:08:15 2025
Last Check: Sat Jan 17 04:08:14 2026
Next Check: Sat Jan 17 04:18:14 2026

candi.nhs.uk/candi-nhs-uk-0/roaming0.govroam.uk/ Zombie

Output: CRITICAL: Marked as down within the last day
Last State Change: Mon Jan 12 09:31:04 2026
Last Check: Sat Jan 17 04:11:03 2026
Next Check: Sat Jan 17 04:21:03 2026

Meaning:: Over the last day, the ORPS has been marked as 'down' by the NRPS. A server is marked as 'down' (or a Zombie) if it doesn't respond to an authentication query within 30s. If the ORPS is serving a Federation then the chances are that one of the Federation members isn't responding to a proxied query. If the ORPS isn't serving a Federation then it's a problem with the local configuration.
Solution:: An independently connected site needs to fix the configuration to ensure that the ORPS is sending a response to ALL auth requests. A Federation Operator nedds to check their logs to determine which members aren't sending responses and help them correct their configuration.

candi.nhs.uk/candi-nhs-uk-0/NRPS: roaming1.govroam.uk (212.219.209.43) - Dropping Auth Requests /

candi.nhs.uk/candi-nhs-uk-0/roaming1.govroam.uk/ Ping

Output: PING OK - Packet loss = 0%, RTA = 7.17 ms
Last State Change: Tue Dec 2 08:56:13 2025
Last Check: Sat Jan 17 04:16:03 2026
Next Check: Sat Jan 17 04:26:03 2026

candi.nhs.uk/candi-nhs-uk-0/roaming1.govroam.uk/ RADIUS Port

Output: OK: Port 1812 is probably open, unless there's a DROP firewall
Last State Change: Tue Dec 2 08:54:11 2025
Last Check: Sat Jan 17 04:14:09 2026
Next Check: Sat Jan 17 04:24:09 2026

candi.nhs.uk/candi-nhs-uk-0/roaming1.govroam.uk/ Server Shared Secret

Output: OK: Good shared secret over last day
Last State Change: Sun Dec 28 14:03:01 2025
Last Check: Sat Jan 17 04:12:59 2026
Next Check: Sat Jan 17 04:22:59 2026

candi.nhs.uk/candi-nhs-uk-0/roaming1.govroam.uk/ Simple Authentication

Output: OK: Return code is as expected, Access-Reject
Last State Change: Tue Dec 2 08:56:23 2025
Last Check: Sat Jan 17 04:16:21 2026
Next Check: Sat Jan 17 04:26:21 2026

candi.nhs.uk/candi-nhs-uk-0/roaming1.govroam.uk/ Zombie

Output: CRITICAL: Marked as down within the last day
Last State Change: Mon Jan 12 07:35:48 2026
Last Check: Sat Jan 17 04:15:46 2026
Next Check: Sat Jan 17 04:25:46 2026

Meaning:: Over the last day, the ORPS has been marked as 'down' by the NRPS. A server is marked as 'down' (or a Zombie) if it doesn't respond to an authentication query within 30s. If the ORPS is serving a Federation then the chances are that one of the Federation members isn't responding to a proxied query. If the ORPS isn't serving a Federation then it's a problem with the local configuration.
Solution:: An independently connected site needs to fix the configuration to ensure that the ORPS is sending a response to ALL auth requests. A Federation Operator nedds to check their logs to determine which members aren't sending responses and help them correct their configuration.

candi.nhs.uk/candi-nhs-uk-0/NRPS: roaming2.govroam.uk (212.219.247.59) - Dropping Auth Requests /

candi.nhs.uk/candi-nhs-uk-0/roaming2.govroam.uk/ Ping

Output: PING OK - Packet loss = 0%, RTA = 13.89 ms
Last State Change: Tue Dec 2 08:51:51 2025
Last Check: Sat Jan 17 04:11:41 2026
Next Check: Sat Jan 17 04:21:41 2026

candi.nhs.uk/candi-nhs-uk-0/roaming2.govroam.uk/ RADIUS Port

Output: OK: Port 1812 is probably open, unless there's a DROP firewall
Last State Change: Tue Dec 2 08:52:25 2025
Last Check: Sat Jan 17 04:12:23 2026
Next Check: Sat Jan 17 04:22:23 2026

candi.nhs.uk/candi-nhs-uk-0/roaming2.govroam.uk/ Server Shared Secret

Output: OK: Good shared secret over last day
Last State Change: Sun Jan 11 12:38:56 2026
Last Check: Sat Jan 17 04:08:54 2026
Next Check: Sat Jan 17 04:18:54 2026

candi.nhs.uk/candi-nhs-uk-0/roaming2.govroam.uk/ Simple Authentication

Output: OK: Return code is as expected, Access-Reject
Last State Change: Wed Jan 14 19:19:28 2026
Last Check: Sat Jan 17 04:09:26 2026
Next Check: Sat Jan 17 04:19:26 2026

candi.nhs.uk/candi-nhs-uk-0/roaming2.govroam.uk/ Zombie

Output: CRITICAL: Marked as down within the last day
Last State Change: Mon Jan 12 07:32:13 2026
Last Check: Sat Jan 17 04:12:11 2026
Next Check: Sat Jan 17 04:22:11 2026

Meaning:: Over the last day, the ORPS has been marked as 'down' by the NRPS. A server is marked as 'down' (or a Zombie) if it doesn't respond to an authentication query within 30s. If the ORPS is serving a Federation then the chances are that one of the Federation members isn't responding to a proxied query. If the ORPS isn't serving a Federation then it's a problem with the local configuration.
Solution:: An independently connected site needs to fix the configuration to ensure that the ORPS is sending a response to ALL auth requests. A Federation Operator nedds to check their logs to determine which members aren't sending responses and help them correct their configuration.

candi.nhs.uk/candi-nhs-uk-0/NRPS: roaming3.govroam.uk (195.194.21.203) - Dropping Auth Requests /

candi.nhs.uk/candi-nhs-uk-0/roaming3.govroam.uk/ Ping

Output: PING OK - Packet loss = 0%, RTA = 13.82 ms
Last State Change: Tue Dec 2 08:41:49 2025
Last Check: Sat Jan 17 04:11:39 2026
Next Check: Sat Jan 17 04:21:39 2026

candi.nhs.uk/candi-nhs-uk-0/roaming3.govroam.uk/ RADIUS Port

Output: OK: Port 1812 is probably open, unless there's a DROP firewall
Last State Change: Tue Dec 2 08:39:59 2025
Last Check: Sat Jan 17 04:09:58 2026
Next Check: Sat Jan 17 04:19:58 2026

candi.nhs.uk/candi-nhs-uk-0/roaming3.govroam.uk/ Server Shared Secret

Output: OK: Good shared secret over last day
Last State Change: Sun Dec 28 14:05:52 2025
Last Check: Sat Jan 17 04:15:50 2026
Next Check: Sat Jan 17 04:25:50 2026

candi.nhs.uk/candi-nhs-uk-0/roaming3.govroam.uk/ Simple Authentication

Output: OK: Return code is as expected, Access-Reject
Last State Change: Tue Jan 13 06:48:41 2026
Last Check: Sat Jan 17 04:08:39 2026
Next Check: Sat Jan 17 04:18:39 2026

candi.nhs.uk/candi-nhs-uk-0/roaming3.govroam.uk/ Zombie

Output: CRITICAL: Marked as down within the last day
Last State Change: Mon Jan 12 15:56:35 2026
Last Check: Sat Jan 17 04:16:34 2026
Next Check: Sat Jan 17 04:26:33 2026

Meaning:: Over the last day, the ORPS has been marked as 'down' by the NRPS. A server is marked as 'down' (or a Zombie) if it doesn't respond to an authentication query within 30s. If the ORPS is serving a Federation then the chances are that one of the Federation members isn't responding to a proxied query. If the ORPS isn't serving a Federation then it's a problem with the local configuration.
Solution:: An independently connected site needs to fix the configuration to ensure that the ORPS is sending a response to ALL auth requests. A Federation Operator nedds to check their logs to determine which members aren't sending responses and help them correct their configuration.

candi.nhs.uk/ORPS: candi-nhs-uk-1

candi.nhs.uk/candi-nhs-uk-1/NRPS: roaming0.govroam.uk (212.219.190.139) - Dropping Auth Requests /

candi.nhs.uk/candi-nhs-uk-1/roaming0.govroam.uk/ Ping

Output: PING OK - Packet loss = 0%, RTA = 9.95 ms
Last State Change: Tue Dec 2 09:02:41 2025
Last Check: Sat Jan 17 04:12:31 2026
Next Check: Sat Jan 17 04:22:31 2026

candi.nhs.uk/candi-nhs-uk-1/roaming0.govroam.uk/ RADIUS Port

Output: OK: Port 1812 is probably open, unless there's a DROP firewall
Last State Change: Tue Dec 2 08:59:50 2025
Last Check: Sat Jan 17 04:09:48 2026
Next Check: Sat Jan 17 04:19:48 2026

candi.nhs.uk/candi-nhs-uk-1/roaming0.govroam.uk/ Server Shared Secret

Output: UNKNOWN: No Data. No logs to check for last day
Last State Change: Fri Jan 16 15:55:05 2026
Last Check: Sat Jan 17 04:13:04 2026
Next Check: Sat Jan 17 04:23:04 2026

candi.nhs.uk/candi-nhs-uk-1/roaming0.govroam.uk/ Simple Authentication

Output: OK: Return code is as expected, Access-Reject
Last State Change: Tue Jan 13 02:14:58 2026
Last Check: Sat Jan 17 04:14:57 2026
Next Check: Sat Jan 17 04:24:57 2026

candi.nhs.uk/candi-nhs-uk-1/roaming0.govroam.uk/ Zombie

Output: CRITICAL: Marked as down within the last day
Last State Change: Mon Jan 12 09:59:29 2026
Last Check: Sat Jan 17 04:09:28 2026
Next Check: Sat Jan 17 04:19:28 2026

Meaning:: Over the last day, the ORPS has been marked as 'down' by the NRPS. A server is marked as 'down' (or a Zombie) if it doesn't respond to an authentication query within 30s. If the ORPS is serving a Federation then the chances are that one of the Federation members isn't responding to a proxied query. If the ORPS isn't serving a Federation then it's a problem with the local configuration.
Solution:: An independently connected site needs to fix the configuration to ensure that the ORPS is sending a response to ALL auth requests. A Federation Operator nedds to check their logs to determine which members aren't sending responses and help them correct their configuration.

candi.nhs.uk/candi-nhs-uk-1/NRPS: roaming1.govroam.uk (212.219.209.43) - Dropping Auth Requests /

candi.nhs.uk/candi-nhs-uk-1/roaming1.govroam.uk/ Ping

Output: PING OK - Packet loss = 0%, RTA = 9.98 ms
Last State Change: Tue Dec 2 08:56:02 2025
Last Check: Sat Jan 17 04:15:51 2026
Next Check: Sat Jan 17 04:25:51 2026

candi.nhs.uk/candi-nhs-uk-1/roaming1.govroam.uk/ RADIUS Port

Output: OK: Port 1812 is probably open, unless there's a DROP firewall
Last State Change: Tue Dec 2 08:56:22 2025
Last Check: Sat Jan 17 04:16:22 2026
Next Check: Sat Jan 17 04:26:20 2026

candi.nhs.uk/candi-nhs-uk-1/roaming1.govroam.uk/ Server Shared Secret

Output: UNKNOWN: No Data. No logs to check for last day
Last State Change: Fri Jan 16 15:53:50 2026
Last Check: Sat Jan 17 04:11:48 2026
Next Check: Sat Jan 17 04:21:48 2026

candi.nhs.uk/candi-nhs-uk-1/roaming1.govroam.uk/ Simple Authentication

Output: OK: Return code is as expected, Access-Reject
Last State Change: Wed Dec 3 18:10:38 2025
Last Check: Sat Jan 17 04:10:36 2026
Next Check: Sat Jan 17 04:20:36 2026

candi.nhs.uk/candi-nhs-uk-1/roaming1.govroam.uk/ Zombie

Output: CRITICAL: Marked as down within the last day
Last State Change: Mon Jan 12 09:51:16 2026
Last Check: Sat Jan 17 04:11:15 2026
Next Check: Sat Jan 17 04:21:15 2026

Meaning:: Over the last day, the ORPS has been marked as 'down' by the NRPS. A server is marked as 'down' (or a Zombie) if it doesn't respond to an authentication query within 30s. If the ORPS is serving a Federation then the chances are that one of the Federation members isn't responding to a proxied query. If the ORPS isn't serving a Federation then it's a problem with the local configuration.
Solution:: An independently connected site needs to fix the configuration to ensure that the ORPS is sending a response to ALL auth requests. A Federation Operator nedds to check their logs to determine which members aren't sending responses and help them correct their configuration.

candi.nhs.uk/candi-nhs-uk-1/NRPS: roaming2.govroam.uk (212.219.247.59) - Dropping Auth Requests /

candi.nhs.uk/candi-nhs-uk-1/roaming2.govroam.uk/ Ping

Output: PING OK - Packet loss = 0%, RTA = 16.64 ms
Last State Change: Tue Dec 2 08:52:59 2025
Last Check: Sat Jan 17 04:12:50 2026
Next Check: Sat Jan 17 04:22:49 2026

candi.nhs.uk/candi-nhs-uk-1/roaming2.govroam.uk/ RADIUS Port

Output: OK: Port 1812 is probably open, unless there's a DROP firewall
Last State Change: Tue Dec 2 08:52:16 2025
Last Check: Sat Jan 17 04:12:14 2026
Next Check: Sat Jan 17 04:22:14 2026

candi.nhs.uk/candi-nhs-uk-1/roaming2.govroam.uk/ Server Shared Secret

Output: UNKNOWN: No Data. No logs to check for last day
Last State Change: Fri Jan 16 15:48:34 2026
Last Check: Sat Jan 17 04:16:33 2026
Next Check: Sat Jan 17 04:26:33 2026

candi.nhs.uk/candi-nhs-uk-1/roaming2.govroam.uk/ Simple Authentication

Output: OK: Return code is as expected, Access-Reject
Last State Change: Thu Jan 8 06:52:02 2026
Last Check: Sat Jan 17 04:12:00 2026
Next Check: Sat Jan 17 04:22:00 2026

candi.nhs.uk/candi-nhs-uk-1/roaming2.govroam.uk/ Zombie

Output: CRITICAL: Marked as down within the last day
Last State Change: Mon Jan 12 07:18:09 2026
Last Check: Sat Jan 17 04:08:08 2026
Next Check: Sat Jan 17 04:18:08 2026

Meaning:: Over the last day, the ORPS has been marked as 'down' by the NRPS. A server is marked as 'down' (or a Zombie) if it doesn't respond to an authentication query within 30s. If the ORPS is serving a Federation then the chances are that one of the Federation members isn't responding to a proxied query. If the ORPS isn't serving a Federation then it's a problem with the local configuration.
Solution:: An independently connected site needs to fix the configuration to ensure that the ORPS is sending a response to ALL auth requests. A Federation Operator nedds to check their logs to determine which members aren't sending responses and help them correct their configuration.

candi.nhs.uk/candi-nhs-uk-1/NRPS: roaming3.govroam.uk (195.194.21.203) - Dropping Auth Requests /

candi.nhs.uk/candi-nhs-uk-1/roaming3.govroam.uk/ Ping

Output: PING OK - Packet loss = 0%, RTA = 16.22 ms
Last State Change: Tue Dec 2 08:42:55 2025
Last Check: Sat Jan 17 04:12:45 2026
Next Check: Sat Jan 17 04:22:45 2026

candi.nhs.uk/candi-nhs-uk-1/roaming3.govroam.uk/ RADIUS Port

Output: OK: Port 1812 is probably open, unless there's a DROP firewall
Last State Change: Tue Dec 2 08:38:33 2025
Last Check: Sat Jan 17 04:08:32 2026
Next Check: Sat Jan 17 04:18:32 2026

candi.nhs.uk/candi-nhs-uk-1/roaming3.govroam.uk/ Server Shared Secret

Output: UNKNOWN: No Data. No logs to check for last day
Last State Change: Fri Jan 16 15:55:28 2026
Last Check: Sat Jan 17 04:13:26 2026
Next Check: Sat Jan 17 04:23:26 2026

candi.nhs.uk/candi-nhs-uk-1/roaming3.govroam.uk/ Simple Authentication

Output: OK: Return code is as expected, Access-Reject
Last State Change: Thu Jan 15 06:45:30 2026
Last Check: Sat Jan 17 04:15:29 2026
Next Check: Sat Jan 17 04:25:29 2026

candi.nhs.uk/candi-nhs-uk-1/roaming3.govroam.uk/ Zombie

Output: CRITICAL: Marked as down within the last day
Last State Change: Sun Jan 11 13:38:27 2026
Last Check: Sat Jan 17 04:08:23 2026
Next Check: Sat Jan 17 04:18:23 2026

Meaning:: Over the last day, the ORPS has been marked as 'down' by the NRPS. A server is marked as 'down' (or a Zombie) if it doesn't respond to an authentication query within 30s. If the ORPS is serving a Federation then the chances are that one of the Federation members isn't responding to a proxied query. If the ORPS isn't serving a Federation then it's a problem with the local configuration.
Solution:: An independently connected site needs to fix the configuration to ensure that the ORPS is sending a response to ALL auth requests. A Federation Operator nedds to check their logs to determine which members aren't sending responses and help them correct their configuration.

Called Station ID Check

Output: WARNING: 98% Lower case characters in MAC (last: 2026-01-16 23:49:01)
Last State Change: Tue Dec 2 08:30:32 2025
Last Check: Sat Jan 17 04:10:29 2026
Next Check: Sat Jan 17 04:25:27 2026

Meaning:: The Called-Station-ID contains the MAC address of the device the client connects to as well as, potentially, the SSID of the wireless network it connected to. The format of the MAC address is specified in RFC 3580 as 'XX-XX-XX-XX-XX-XX:SSID' with '-' being the only valid separator and all upper case. The SSID should be appended.
Having the Called-Station-ID included in proxied requests makes it possible to ensure that the SSID being broadcast matches the service requirements.
Solution:: Configure your wireless system to provide the CSI in the RFC3580 format.

Calling Station ID Check

Output: WARNING: 100% MAC format wrong, contains lower case (last: 2026-01-16 23:49:01)
Last State Change: Tue Dec 2 08:30:53 2025
Last Check: Sat Jan 17 04:10:52 2026
Next Check: Sat Jan 17 04:25:50 2026

Meaning:: Calling Station ID identifies the device making the connection and RFC 3580 states that the format should be XX-XX-XX-XX-XX-XX (i.e. '-' separated and upper case).
Solution:: Configure your wireless system to use upper case and '-' separated pairs.

Operator Check

Output: OK: 100% Operator-Name present (last: 2026-01-16 23:49:01)
Last State Change: Thu Jan 1 20:19:45 2026
Last Check: Sat Jan 17 04:04:43 2026
Next Check: Sat Jan 17 04:19:42 2026

Realm Syntax Check

Output: OK: 100.0% Good syntax (last: 2026-01-16 23:49:01)
Last State Change: Thu Jan 15 01:30:08 2026
Last Check: Sat Jan 17 04:15:05 2026
Next Check: Sat Jan 17 04:30:04 2026

VLAN Check

Output: CRITICAL: 88% Tunnel-Type attr present (last: 2026-01-16 23:49:01). 88% Tunnel-Medium-Type attr present (last: 2026-01-16 23:49:01). 88% Tunnel-Private-Group-ID (last: 2026-01-16 23:49:01)
Last State Change: Tue Dec 2 08:34:33 2025
Last Check: Sat Jan 17 04:14:33 2026
Next Check: Sat Jan 17 04:29:31 2026

Meaning:: Various attributes such as Tunnel-Type, Tunnel-Medium-Type and Tunnel-Private-Group-ID being sent out in responses. The 'Tunnel' attributes are commonly used to instruct wireless controllers which VLAN to place a client in. Thus if these attributes aren't filtered out then one site might be sending these attributes to another site. At best users won't be connected, at worst they'll be placed on an inappropriate VLAN.
Solution:: Apply filters on the RADIUS servers to restrict the attributes to just the set as specified in the Tech Spec. Both outgoing AND incoming packets need the filters applied to them for everyone's protection