In an effort to provide better resilience Jisc are adding a fourth RADIUS server to act as a National RADIUS Proxy Server (NRPS). This will be located at our Leeds data centre along side the third NRPS. In event of a data centre failure there will be at least two NRPS still available, which is still resilient because only one NRPS is required to handle to load.

New Topology. Green lines indicate new relationships

Each of the NRPS is entirely independent and each has all sites configured as clients and proxies. If a NRPS was missing the configuration for a site then it would not be able to proxy authentication requests from, or to, that site. The same will apply to the fourth NRPS in that before any site can use it, all sites must be configured on it. The implication is that the fourth NRPS will not be ready to use until ALL sites have it configured and if any sites tries using it prematurely then authentication requests will fail if sent to that NRPS.

Note: Only RADIUS servers (RRPS if you're a Federations, ORPS is connecting individually) directly connected to Jisc are affected by this change.

It is expected that the connected sites add their new configuration on, or before the Go-Live date. Depending on the site, their software and their policy each site will decide whether to configure the new NRPS in advance of the date or on the date i.e. if it's not feasible to add the configuration in such a way that it's resident but inactive then configuring on the day is the alternative.

Jisc will communicate with each connected site (RFO or individually connected organisation) and supply them with the appropriate details (additional shared secrets and the address of the fourth NRPS) to be added to their RRPS or ORPS. Sites can then choose to

a) add the configuration in a dormant state and activate at the Go-Live date and time OR,

b) to wait until the Go-Live date and time and do it then.

The Fourth NRPS will be live for the duration so that sites can test their configuration, set up any monitoring etc. but, and this point can not be over-stressed, any live authentication requests to that NRPS before the Go-Live date are likely to return a Reject, rendering the user unable to connect.

Testing of your local accounts can be done through RADIUS EAP Tester

Because Visited Only sites are only sending authentication requests to the NRPS you should wait until after the Go-Live date, when all the receiving (Home) sites are live, before applying your new configuration.

Please contact govroam@jisc.ac.uk if you have any questions.