Dealing with complaints about visiting eduroam users

Download as PDFDownload as PDF

The vast majority of use of the Janet network (and Janet-connected eduroam networks) causes no problems, however occasionally a complaint about a user's behaviour is received. To protect the reputation of Janet and its customers, our policies require connected organisations to deal effectively with complaints about their users’ activities. Normally that is straightforward since the organisation should be able to use its logs to identify the user and deal with the individual according to local policies. If however a complaint is received relating to an IP address that was in use at the time by a visitor from another eduroam member, then that process doesn’t work. Instead the complaint needs to be forwarded (via Janet CSIRT) to the visitor’s home site which must, under the terms of the eduroam(UK) policy, deal appropriately with the relevant user.

Unless you happen to know the relevant contact for security issues at the visitor’s home site, the best option is to forward the complaint by e-mail to Janet CSIRT which will work with the eduroam operations team to identify the right home site contact. This is particularly useful in cases involving visitors from overseas eduroam sites. You should forward details of the eduroam authentication response[1] along with the complaint so that the home site can identify the matching authentication event in their logs. Nb. Whilst eduroam technical contact/sys admin contacts are listed on the Support server (general page), these are usually NOT the correct contact for security and compliance to AUP matters. Hence our guidance to liaise with CSIRT. You may of course raise a help ticket through JSD - eduroam(UK) Tech Support will triage the incident and assist in progressing to a satisfactory conclusion.

You may find the model response templates that UCISA has helpfully produced useful when responding to complaints relating to  breach of copyright, see:

See also 'Investigating Copyright Complaints:

[1.] Details of the authentication response - from your logs as required by Tech Spec. you should, using your DHCP and NAT mapping logs if NAT is employed, be able to determine from the allocated IP address the corresponding MAC address and hence provide:

- the time of the authentication request (syncd to NTP)
- the value of the user name attribute in the request (note that this is the outerID and may be deliberately falsified or anonymous)
- the value of the Calling-Station-Id attribute in the request (MAC address)

You may also be able to provide:

- the Called-Station-Id or NAS-Identifier (these identify the AP the user was connected to and if these attributes are not filtered by your ORPS may be helpful to the Home organisation)

Nb. The eduroam service you provide visitors is subject to your own AUP and you are at liberty to withdraw service to an individual user in cases of network abuse (having notified the Home organisation and where possible the individual concerned).