...
eduroam RADIUS server logs
| GEANT central ops | NRO | IdP | SP | |
| Dataset description: | Logs from the European top level RADIUS servers (ETLR) | Logs from the national top level RADIUS server(s) (FTLR) | Logs from the IdP RADIUS server(s) | Logs from the SP RADIUS server(s) |
| Purpose of processing: | Troubleshooting issues and resolving security incidents. | Troubleshooting issues and resolving security incidents. Recommendation by the eduroam Service Definition. | Troubleshooting issues and resolving security incidents. Requirement by the eduroam Service Definition. | Troubleshooting issues and resolving security incidents. Recommendation by the eduroam Service Definition. Requirement by the eduroam Service Definition is to keep the logs of public IP addresses assigned to users and its relation to users MAC address. |
| Data source: | Data is logged in the ETLR servers when a RADIUS authentication or response passes (user accesses eduroam in another country) | Data is logged in the FTLR server(s) when a RADIUS authentication or response passes (user accesses eduroam in another institution) | Data is logged in the IdP RADIUS server(s) when a RADIUS authentication or response passes (institution user accesses eduroam anywhere) | Data is logged in the SPs RADIUS server(s) when a RADIUS authentication or response passes. (user accesses eduroam at that SPs location) |
| Data storage and access: | Data is stored in the ETLR servers, accessible only to the eduroam operational team personnel. | Data is stored in the FTLR server(s), accessible only to the NRO operational team personnel. (This may vary based on local practices) | Data is stored in the IdP server(s), accessible only to the IdP operational team personnel. (This may vary based on local practices) | Data is stored in the SP server(s), accessible only to the IdP operational team personnel. (This may vary based on local practices) |
| Data transfer: | No | No | No | No |
| Data retention: | ? | Depends on the local policy. eduroam Service Definition recommendation is: The minimum log retention time is six months, unless national regulations require otherwise | Depends on the local policy. eduroam Service Definition recommendation is: The minimum log retention time is six months, unless national regulations require otherwise. | Depends on local the policy. eduroam Service Definition recommendation is: The minimum log retention time is six months, unless national regulations require otherwise. |
| Personal data processed: | Yes | Yes | Yes | Yes |
Dataset content
| Data item | Is personal data? | ||||
| central ops | NRO | IdP | SP | ||
|---|---|---|---|---|---|
| 1 | Timestamp - The time the authentication request was exchanged i.e usert tried to access the eduroam service | ||||
| 2 | Outer EAP-identity - username@institution_domain, username can be anonymised but not all users do that | ||||
| 3 | Inner EAP-identity - username@institution_domain | ||||
| 4 | Calling-Station-Id - users MAC address | ||||
| 5 | Authentication result | ||||
| 6 | Chargeable-User-Identity - users anonymous ID | ||||
| 7 | IP address assigned by the SP after the sucessfull authenticaiton, including its relation to users MAC address |
| |||
...
| Data item | Is personal data? | Comment | |
|---|---|---|---|
| 1 | REALM - As in users EPPN used for the authentication (for example “@education.lu”) - contains the user’s country of origin and the institution of origin | Yes | |
| 2 | Calling-Station-Id - User’s device MAC address | Yes | |
| 3 | Viscountry - ISO country code of the NRO that generated the log message | Yes | No (VP proposal) |
| 4 | Visinst - Identifier of visited institution i.e. operator-name RADIUS attribute | Yes | No (VP proposal) |
| 5 | Result - Authentication outcome: OK / FAIL | No |
...