Firewall Configuration Guidelines
RADIUS traffic is carried by UDP with various port pairs. Current conventions call for udp/1812, udp/1813 (for authentication and accounting respectively) where the now deprecated ports of udp/1645, udp/1646 are used by some RADIUS servers. The eduroam-US TLRS responds to both sets of authentication and accounting ports.
Your firewalls must allow all RADIUS traffic between the eduroam-US Top-Level RADIUS Server(s) (TLRS) and your RADIUS server(s) on the ports you choose during configuration.