How to read your eduroam report
We are pleased to introduce you to your eduroam report. These reports are individually generated for each institution, for a defined time period and built from our log message statistics.
These reports offer graphs and maps representative of your eduroam service over the selected period.
Included, you will see an introduction page, followed by the overview of your guest network and/or your authentication service, depending upon the service provided by your institution.
- Institutions acting as a Service Provider offer a guest network allowing visitors to access the wifi/network on their premises. Their report include the Service Provider overview.
- Institutions providing credentials (login/password) to their users, allowing them to be remotely authenticated while visiting eduroam locations are presented with the Identity Provider panels.
- Institutions offering both guest network and authentication service have access to the overview of each service: the Service Provider (SP) and the Identity Provider (IdP) overviews.
The introduction page offers a summary of your institution’s service activity as well as links to the following graph and map pages. Here is what to look for:
- Each device successfully authenticated, identified from username and hardware address, counted once.
- Details about the balance between your accepted and rejected requests are available on the following pages.
Service overview (4 pages)
Each service overview offers two graph pages presenting your institution’s request and device statistics, and two location pages (for the United States and the world).
Note: If your institution offers both Service Provider (SP) and Identity Provider (IdP) services, you can rely on the service color bar to emphasize the service addressed on a page.
The request graph page
You can refer to this page for information about your service requests and traffic, including authentication request type and distribution, overall success rate and EAP (Extensible Authentication Protocol) types. This allows you to monitor peak usage and to detect possible errors or traffic anomalies.
- Each device successfully authenticated, identified from username and hardware address, counted only once.
- To ensure readability, the display and frequency are adjusted to the time period. For reports generated for a time period greater than 2 months, the overview of accepted/rejected requests over time uses a full week interval per bar (including the full weeks of the period start date and end date).
- Here is a summary of the rejected request categories:
- Unfederated Realm: the realm format of the username/login (user@realm) targets the US eduroam federation (.edu), but there is no peer associated to this realm. Potential underlying reasons include typos, no longer supported realm and missing configuration/exception on the Top Level Servers.
- Empty Realm: the realm part of the username is empty. The requests can’t be associated to an Identity Provider. Service Providers should filter/discard such requests to reduce traffic and number of rejects.
- Domain Loop: the request has been preempted to avoid a loop between servers. A common case involves a misconfiguration of an SP/IdP institution, forwarding requests to the Top Level Servers for a realm/sub-realm for which it provides authentication. Such peers must correct their configuration to avoid this behavior.
- No Response: the Top Level Server did not receive a response from the Identity Provider server before reaching a timeout.
Invalid Character: the username contains invalid characters such as newline or tabulation.
- Non-EAP: the data exchange configuration does not comply with the EAP (Extensible Authentication Protocol) standard, which is required for eduroam authentication.
- Rate Limiting: some requests have been dropped as a preventive step to avoid an overload of the servers.
- Disabled ANYROAM: the request is associated with ANYROAM (non eduroam) credentials not allowed by the Service Provider. Such requests are only accepted at campuses where ANYROAM is enabled.
- Other: all other types of rejected requests. For most of these requests, the “Reason” field inherent to the reject has been filled with a customized message by the Identity Provider server or has been left empty. In the later case the message “Proxied” is added by the Top Level Radius servers.
This page gather information about the device usage of your service. It offers the number and distribution of device uniquely authenticated devices over time, as well as device succes rates and average. device_graphs_page.png
- To ensure readability, the display and frequency are adjusted to the time period. Reports generated for a time period greater than 2 months present the daily number of devices graphed as linepoints (instead of a bar graph).
- The ratio between the number of accepted request over total number of requests for the device.
The United States location page
This page shows the destination/origin of your users/visitors on United States soil.
<ol><li>Each US institution coordinates (for origins as well as destinations) are set as the coordinates of the institution’s “Primary Organization Location”. Administrators can update this attribute on the institution page, under Edit->Miscellaneous Information.</li></ol>
The world data page
The world data page offers a map and a list showing the different countries of origin (or destination) of your visitors (or users).
- Location information is extracted from message fields (operator-name) and realm extension (country code) when available. In the case of international traffic, the information might be missing or difficult to attribute to a country-specific location (virtual university credentials, multi-country organization, etc.). The number of devices falling into these categories are gathered under the denomination “UNKNOWN”.