• Programs
  • Canada’s National Research and Education Network (NREN)
    • NREN Partners
    • NREN Connections
    • Global Research and Education Network (GREN)
  • Cybersecurity Program
    • Cybersecurity Initiatives Program (CIP)
    • Participate in the Cybersecurity Initiatives Program (CIP)
    • Funded Initiatives
    • Frequently Asked Questions
    • Cybersecurity Support
  • CANARIE Network
    • Connect to the CANARIE Network
    • Network Services
    • MOXY: Global Exchange Point for Research and Education
    • Network Support & Tools
  • DAIR Cloud Program
    • DAIR Boosterpack Catalogue
  • Identity & Access Management
    • Canadian Access Federation (CAF)
    • eduroam
    • Federated Identity Management (FIM)
    • Case Studies
    • Identity & Access Management Support
• Membership
  • CANARIE Membership
  • Member List
• About Us
  • About Us
  • Executive Team
  • Board of Directors
  • Advisory Committees
  • Media Kit
  • Policies
  • Document Library
• Careers
• Contact Us
• News
  • News
  • Blog
  • Press Releases
• Events
  • All Events
  • CANARIE Summit
  • Canadian SecuR&E Forum
  • Hosted Events
  • Community Events

Search Search

Français

Home / How To: Configure Ruckus Cloudpath RADIUS for eduroam in Canada

As national operators of eduroam, we designed the eduroam service in Canada to be resilient by hosting four Federation-Level RADIUS servers (FLRs) across Canada (two in the West and two in the East).

This document outlines the steps required to configure a Ruckus Cloudpath RADIUS server at an eduroam identity provider (IdP) site, accepting traffic from all four FLRs IP addresses in Canada. : https://www.canarie.ca/document/caf-firewall-and-ip-address-recommendations-for-eduroam/

Outbound RADIUS traffic from an eduroam Service Provider (SP) site to authenticate eduroam users who are roaming off-campus may be sent to any of the four FLRs, so when eduroam IdP sites configure all four FLRs on their server(s?), Radius traffic should flow unimpeded to authenticate their users while roaming abroad.

A limitation in the Cloudpath provisioning UI for eduroam (allowing just two FLRs IPs to be configured), could cause RADIUS request timeouts/failure, which would result in the inability to authenticate users and grant them access to eduroam.

The following steps provide a workaround to add additional FLRs IPs by opening all possible RADIUS pathways to maximize connectivity to the eduroam service for users whenever and wherever they are roaming  in Canada.

1.    Connectivity Issue Overview

Currently, only two FLRs IP addresses can be configured when onboarding an institution using Ruckus Cloudpath. This limitation opens the potential for RADIUS requests to be missed when directed to unconfigured IPs, leading to authentication failures.

The diagram below shows how RADIUS traffic could be missed when only two FLRs are configured:

2. Configuration Steps

Follow the steps below to update the Cloudpath configuration:

1. Log in to your Cloudpath instance.

• Navigate to Configuration > RADIUS Server.

• Under the eduroam tab, obtain the two currently configured FLRs IP addresses. Note: We recommend you configure the first IP address to be the closest to you and the second IP address to be in the opposite region in Canada (East/West).

• Note (and copy) the RADIUS shared secret, as it will be reused.

• Go to the Clients tab and add the missing two FLRs IP addresses using the same shared secret.

3. Final Notes

Completing this configuration will ensure that your institution’s RADIUS server can communicate with all four FLRs, virtually eliminating request timeouts and improving eduroam service availability and reliability for users while roaming at other eduroam sites across Canada.