Realm: hey.nhs.uk Full

hey.nhs.uk/ORPS: hey-nhs-uk-0

hey.nhs.uk/hey-nhs-uk-0/NRPS: roaming0.govroam.uk (212.219.190.139) - ICMP Blocked / IPS firewall /

hey.nhs.uk/hey-nhs-uk-0/roaming0.govroam.uk/ Ping

Output: PING CRITICAL - Packet loss = 100%
Last State Change: Sat Apr 11 05:17:07 2026
Last Check: Mon Apr 13 08:24:06 2026
Next Check: Mon Apr 13 08:34:06 2026

Meaning:: A failed Ping test means that ICMP packets are either not getting to the server, or the responses aren't getting back.
Solution:: Check your firewall logs to see if the packets are arriving. If not, check your routing. If they are, then check to see if they're being DROPed or REJECTed. If you're confident that a response is being sent then please let Jisc know at govroam@jisc.ac.uk

hey.nhs.uk/hey-nhs-uk-0/roaming0.govroam.uk/ RADIUS Port

Output: CRITICAL: No response. Host down or firewall dropping new connections
Last State Change: Tue Apr 7 07:28:49 2026
Last Check: Mon Apr 13 08:26:44 2026
Next Check: Mon Apr 13 08:36:44 2026

Meaning:: A simple port scan of port 1812/udp was attempted and there was no response from the port. This implies that either the port is not open i.e. there isn't a daemon running on it, or that there is a firewall configured to not to respond to such scans. Dropping such packets isn't a problem as long as the server is able to respond to RADIUS auth requests.
Solution:: Check the state of the RADIUS daemon and ensure that it's up and running on port 1812/udp. If it is, then check your firewall(s) to see if they're configured to drop incoming connections.

hey.nhs.uk/hey-nhs-uk-0/roaming0.govroam.uk/ Server Shared Secret

Output: OK: Good shared secret over last day
Last State Change: Tue Apr 7 07:28:13 2026
Last Check: Mon Apr 13 08:28:12 2026
Next Check: Mon Apr 13 08:38:12 2026

hey.nhs.uk/hey-nhs-uk-0/roaming0.govroam.uk/ Simple Authentication

Output: OK: Got a response but the Message Authenticator is bad
Last State Change: Tue Apr 7 07:27:12 2026
Last Check: Mon Apr 13 08:27:11 2026
Next Check: Mon Apr 13 08:37:11 2026

hey.nhs.uk/hey-nhs-uk-0/roaming0.govroam.uk/ Zombie

Output: UNKNOWN: No Data. No data but not marked as down within the last week
Last State Change: Thu Apr 9 07:56:30 2026
Last Check: Mon Apr 13 08:26:28 2026
Next Check: Mon Apr 13 08:36:28 2026

hey.nhs.uk/hey-nhs-uk-0/NRPS: roaming1.govroam.uk (212.219.209.43) - ICMP Blocked / IPS firewall /

hey.nhs.uk/hey-nhs-uk-0/roaming1.govroam.uk/ Ping

Output: PING CRITICAL - Packet loss = 100%
Last State Change: Fri Apr 10 17:36:08 2026
Last Check: Mon Apr 13 08:23:06 2026
Next Check: Mon Apr 13 08:33:06 2026

Meaning:: A failed Ping test means that ICMP packets are either not getting to the server, or the responses aren't getting back.
Solution:: Check your firewall logs to see if the packets are arriving. If not, check your routing. If they are, then check to see if they're being DROPed or REJECTed. If you're confident that a response is being sent then please let Jisc know at govroam@jisc.ac.uk

hey.nhs.uk/hey-nhs-uk-0/roaming1.govroam.uk/ RADIUS Port

Output: CRITICAL: No response. Host down or firewall dropping new connections
Last State Change: Tue Apr 7 07:26:29 2026
Last Check: Mon Apr 13 08:24:24 2026
Next Check: Mon Apr 13 08:34:24 2026

Meaning:: A simple port scan of port 1812/udp was attempted and there was no response from the port. This implies that either the port is not open i.e. there isn't a daemon running on it, or that there is a firewall configured to not to respond to such scans. Dropping such packets isn't a problem as long as the server is able to respond to RADIUS auth requests.
Solution:: Check the state of the RADIUS daemon and ensure that it's up and running on port 1812/udp. If it is, then check your firewall(s) to see if they're configured to drop incoming connections.

hey.nhs.uk/hey-nhs-uk-0/roaming1.govroam.uk/ Server Shared Secret

Output: OK: Good shared secret over last day
Last State Change: Tue Apr 7 07:25:04 2026
Last Check: Mon Apr 13 08:25:03 2026
Next Check: Mon Apr 13 08:35:03 2026

hey.nhs.uk/hey-nhs-uk-0/roaming1.govroam.uk/ Simple Authentication

Output: OK: Got a response but the Message Authenticator is bad
Last State Change: Tue Apr 7 07:24:14 2026
Last Check: Mon Apr 13 08:24:13 2026
Next Check: Mon Apr 13 08:34:13 2026

hey.nhs.uk/hey-nhs-uk-0/roaming1.govroam.uk/ Zombie

Output: UNKNOWN: No Data. No data but not marked as down within the last week
Last State Change: Tue Apr 7 07:27:08 2026
Last Check: Mon Apr 13 08:25:06 2026
Next Check: Mon Apr 13 08:35:06 2026

hey.nhs.uk/hey-nhs-uk-0/NRPS: roaming2.govroam.uk (212.219.247.59) - ICMP Blocked / IPS firewall /

hey.nhs.uk/hey-nhs-uk-0/roaming2.govroam.uk/ Ping

Output: (Service Check Timed Out)
Last State Change: Sat Apr 11 05:49:38 2026
Last Check: Mon Apr 13 08:26:36 2026
Next Check: Mon Apr 13 08:36:36 2026

Meaning:: A failed Ping test means that ICMP packets are either not getting to the server, or the responses aren't getting back.
Solution:: Check your firewall logs to see if the packets are arriving. If not, check your routing. If they are, then check to see if they're being DROPed or REJECTed. If you're confident that a response is being sent then please let Jisc know at govroam@jisc.ac.uk

hey.nhs.uk/hey-nhs-uk-0/roaming2.govroam.uk/ RADIUS Port

Output: CRITICAL: No response. Host down or firewall dropping new connections
Last State Change: Tue Apr 7 07:18:50 2026
Last Check: Mon Apr 13 08:26:46 2026
Next Check: Mon Apr 13 08:36:45 2026

Meaning:: A simple port scan of port 1812/udp was attempted and there was no response from the port. This implies that either the port is not open i.e. there isn't a daemon running on it, or that there is a firewall configured to not to respond to such scans. Dropping such packets isn't a problem as long as the server is able to respond to RADIUS auth requests.
Solution:: Check the state of the RADIUS daemon and ensure that it's up and running on port 1812/udp. If it is, then check your firewall(s) to see if they're configured to drop incoming connections.

hey.nhs.uk/hey-nhs-uk-0/roaming2.govroam.uk/ Server Shared Secret

Output: OK: Good shared secret over last day
Last State Change: Tue Apr 7 07:19:56 2026
Last Check: Mon Apr 13 08:29:56 2026
Next Check: Mon Apr 13 08:39:55 2026

hey.nhs.uk/hey-nhs-uk-0/roaming2.govroam.uk/ Simple Authentication

Output: OK: Got a response but the Message Authenticator is bad
Last State Change: Tue Apr 7 07:20:10 2026
Last Check: Mon Apr 13 08:30:09 2026
Next Check: Mon Apr 13 08:40:09 2026

hey.nhs.uk/hey-nhs-uk-0/roaming2.govroam.uk/ Zombie

Output: UNKNOWN: No Data. No data but not marked as down within the last week
Last State Change: Tue Apr 7 07:18:34 2026
Last Check: Mon Apr 13 08:26:32 2026
Next Check: Mon Apr 13 08:36:32 2026

hey.nhs.uk/hey-nhs-uk-0/NRPS: roaming3.govroam.uk (195.194.21.203) - ICMP Blocked / IPS firewall /

hey.nhs.uk/hey-nhs-uk-0/roaming3.govroam.uk/ Ping

Output: PING CRITICAL - Packet loss = 100%
Last State Change: Tue Apr 7 07:17:26 2026
Last Check: Mon Apr 13 08:24:26 2026
Next Check: Mon Apr 13 08:34:26 2026

Meaning:: A failed Ping test means that ICMP packets are either not getting to the server, or the responses aren't getting back.
Solution:: Check your firewall logs to see if the packets are arriving. If not, check your routing. If they are, then check to see if they're being DROPed or REJECTed. If you're confident that a response is being sent then please let Jisc know at govroam@jisc.ac.uk

hey.nhs.uk/hey-nhs-uk-0/roaming3.govroam.uk/ RADIUS Port

Output: CRITICAL: No response. Host down or firewall dropping new connections
Last State Change: Tue Apr 7 07:16:45 2026
Last Check: Mon Apr 13 08:24:40 2026
Next Check: Mon Apr 13 08:34:40 2026

Meaning:: A simple port scan of port 1812/udp was attempted and there was no response from the port. This implies that either the port is not open i.e. there isn't a daemon running on it, or that there is a firewall configured to not to respond to such scans. Dropping such packets isn't a problem as long as the server is able to respond to RADIUS auth requests.
Solution:: Check the state of the RADIUS daemon and ensure that it's up and running on port 1812/udp. If it is, then check your firewall(s) to see if they're configured to drop incoming connections.

hey.nhs.uk/hey-nhs-uk-0/roaming3.govroam.uk/ Server Shared Secret

Output: OK: Good shared secret over last day
Last State Change: Tue Apr 7 07:15:11 2026
Last Check: Mon Apr 13 08:25:09 2026
Next Check: Mon Apr 13 08:35:09 2026

hey.nhs.uk/hey-nhs-uk-0/roaming3.govroam.uk/ Simple Authentication

Output: OK: Got a response but the Message Authenticator is bad
Last State Change: Tue Apr 7 07:16:32 2026
Last Check: Mon Apr 13 08:26:31 2026
Next Check: Mon Apr 13 08:36:31 2026

hey.nhs.uk/hey-nhs-uk-0/roaming3.govroam.uk/ Zombie

Output: UNKNOWN: No Data. No data but not marked as down within the last week
Last State Change: Tue Apr 7 07:19:12 2026
Last Check: Mon Apr 13 08:27:10 2026
Next Check: Mon Apr 13 08:37:10 2026

Called Station ID Check

Output: WARNING: 100% Lower case characters in MAC (last: 2026-04-13 08:31:26). 62% Missing SSID, as of 2026-04-13 08:31:26
Last State Change: Tue Apr 7 07:06:27 2026
Last Check: Mon Apr 13 08:31:28 2026
Next Check: Mon Apr 13 08:46:26 2026

Meaning:: The Called-Station-ID contains the MAC address of the device the client connects to as well as, potentially, the SSID of the wireless network it connected to. The format of the MAC address is specified in RFC 3580 as 'XX-XX-XX-XX-XX-XX:SSID' with '-' being the only valid separator and all upper case. The SSID should be appended.
Having the Called-Station-ID included in proxied requests makes it possible to ensure that the SSID being broadcast matches the service requirements.
Solution:: Configure your wireless system to provide the CSI in the RFC3580 format.

Calling Station ID Check

Output: WARNING: 99% MAC format wrong, contains lower case (last: 2026-04-13 08:19:01)
Last State Change: Tue Apr 7 07:09:49 2026
Last Check: Mon Apr 13 08:19:45 2026
Next Check: Mon Apr 13 08:34:44 2026

Meaning:: Calling Station ID identifies the device making the connection and RFC 3580 states that the format should be XX-XX-XX-XX-XX-XX (i.e. '-' separated and upper case).
Solution:: Configure your wireless system to use upper case and '-' separated pairs.

Operator Check

Output: WARNING: 100% Missing Operator-Name (last: 2026-04-13 08:31:25)
Last State Change: Tue Apr 7 07:06:25 2026
Last Check: Mon Apr 13 08:31:25 2026
Next Check: Mon Apr 13 08:46:24 2026

Meaning:: Operator-Name is missing from RADIUS requests. Operator-Name identifies the site sending the requests and is used by home sites in audit trails and in cases of mis-use.
Solution:: Where possible (FreeRADIUS, radsecproxy, RADIATOR) Operator-Name should be configured to send the site identifier (in the format 1realm.name e.g. 1holby.nhs.uk).

Realm Syntax Check

Output: WARNING: 1.6% 3GPP realm (last: 2026-04-13 08:03:17)
Last State Change: Mon Apr 13 04:49:17 2026
Last Check: Mon Apr 13 08:19:15 2026
Next Check: Mon Apr 13 08:34:13 2026

Meaning:: Users and devices often put in their email addresses or preconfigured setting such as '@gmail.com' or '3gppnetwork.org' which are never going to be Govroam realms.
Solution:: Filter out the common realms which are never going to be Govroam sites.

VLAN Check

Output: CRITICAL: 100% Tunnel-Type attr present (last: 2026-04-13 08:31:15). 100% Tunnel-Medium-Type attr present (last: 2026-04-13 08:31:15). 100% Tunnel-Private-Group-ID (last: 2026-04-13 08:31:15)
Last State Change: Tue Apr 7 07:06:21 2026
Last Check: Mon Apr 13 08:31:18 2026
Next Check: Mon Apr 13 08:46:18 2026

Meaning:: Various attributes such as Tunnel-Type, Tunnel-Medium-Type and Tunnel-Private-Group-ID being sent out in responses. The 'Tunnel' attributes are commonly used to instruct wireless controllers which VLAN to place a client in. Thus if these attributes aren't filtered out then one site might be sending these attributes to another site. At best users won't be connected, at worst they'll be placed on an inappropriate VLAN.
Solution:: Apply filters on the RADIUS servers to restrict the attributes to just the set as specified in the Tech Spec. Both outgoing AND incoming packets need the filters applied to them for everyone's protection