Follow

Handling inappropriate eduroam usage

Institutional and User Obligation
 
Network access provided to visitors is subject to the SP's network access Acceptable Use Policy (AUP). SPs may withdraw service to an individual user in cases of network abuse and should notify the Home Institution which is responsible for identifying and taking appropriate action against the individual user concerned.
 
Individual users are expected to have entered into a formal agreement regarding network access (Acceptable Use Policy, AUP) with their home institution (typically agreeing to institutional policies when joining the institution), with the home institution having authority to take action of significance against users who violate the AUP agreement. Across the R&E sector, there is an assumption that AUPs will be substantially equivalent.
 
In order to deliver trust in the eduroam AU federation, when an eduroam user's network access behaviour is detected to be in breach of the SP's AUP, eduroam AU policies require the SP and user's IdP to deal effectively to remedy the users’ activities. In practice this involves the SP communicating the non-compliance details and RADIUS logs corresponding to the user's non-compliance to the user's home institution (IdP), which must use its RADIUS logs to identify the user and deal with the individual according to local policies (i.e. take action against the user as if the non-compliance occurred on the home institution network).
 
Role of Logs
 
The log capture and retention policies of the eduroam Global Policy ensure this information is available for a reasonable time period (nominally 6 months).
 
For SPs, logs captured and provided to the IdP in event of AUP noncompliance must include:
  • timestamp (UTC, accuracy ensured e.g. via NTP)
  • outer EAP identity (User-Name attribute, including the realm i.e. identifying the home institution)
  • MAC address of the user device (Calling-Station-Id attribute)
  • RADIUS response-type (will be "Access-Accept")
  • NAS-IP-Address and/or NAS-Identifier (originating Access Point/Wireless LAN Controller identifier to record user location information)
SPs must also record logs from network infrastructure enabling correlation of a client’s MAC address with the allocated IP address, as non-compliance reports (e.g. copyright violation notifications) will typically include the offending user's IP address.
 
For IdPs, RADIUS logs required to associate the SP log with an individual user must include:
 
  • timestamp (UTC, accuracy ensured e.g. via NTP)
  • outer EAP identity (User-Name attribute, including the realm i.e. identifying the home institution)
  • inner EAP identity (User-Name attribute from decrypted tunneled RADIUS request i.e. real username of user)
  • MAC address of the user device (Calling-Station-Id attribute)
  • RADIUS response-type (will be "Access-Accept")
  • NAS-IP-Address and/or NAS-Identifier (attributes sent from SP providing user location information)
 
Non-Compliance Handling Workflow
 
When an AUP breach occurs relating to an IP address used by a visitor from another eduroam institution, the SP should request AARNet (e.g. by submitting a request to support@eduroam.edu.au) to provide the appropriate contact at the visitor’s home institution.
 
Having obtained contact information, the SP should forward the non-compliance report and RADIUS logs so that the home institution can identify the matching authentication event in their logs. The IdP should inform the SP of its intention to take action against the user as if the non-compliance had occurred on the home institution network.