Eduroam is just a network of RADIUS servers that cross-honor authentication among participating institutions. If your org participates in Eduroam, it means users from your org can connect to the eduroam WiFi SSID at other orgs, and vice-versa. It’s helpful for traveling academics and visitors from other .edus
It’s also frequently used to authenticate access to online resources like online libraries, journals, and research infrastructure. Useful for when schools collaborate on grant projects.
The eduroam service requires a CA certificate to validate the APs broadcasting eduroam’s SSIDs are providing the real service. The issuer of that certificate isn’t one of the well-known SSL certificate resellers, so it needs to be installed in your device’s CA store, or configured in your 802.1x WPA supplicant. The protocol used is EAP-TLS, if you’re curious.
So what can the hosting institution see? Not much, from an authentication standpoint. Transactionally, the hosting institution sees a username and org name in an outer transaction. An encrypted payload with your user credentials is then tunneled to your home org’s servers which either validate or invalidate those credentials. If the home org validates, then the hosting org lets you connect.
Beyond that, the network admins can “see” whatever they can normally see when you’re using someone else’s infrastructure: your DNS queries, the application ports you use, a lot of encrypted SSL/HTTPS traffic, plus the contents of anything that isn’t encrypted or sent over SSL.
Some orgs disallow tunneling traffic out when you’re on their eduroam, so sometimes IPSec, SSH, Tor, and maybe even WireGuard are disallowed.
Sorry, I think this is very helpful but unfortunately I’m not english + don’t have much knowledge on the matter, so I really don’t understand much of the things you said…
Thank you for answering, but I must ask you (if you have the time) to explain if they could see or not what I was doing 😭
Slightly longer: Someone can probably see your connections to google and notion and infer that you are using Notion, but they cannot see your Google/Notion account and not what content you are working on. (Also those are very popular tools, unless you are the enemy of the state number 1, why would they care?)
Even longer: If your laptop or your gmail or your notion account is compromised, they can see everything.
No more than someone running a coffee shop wifi would see. Some basic traffic for name resolution then encrypted traffic for web browsing that they can’t read. Unless your notes application transmits in cleartext (unlikely).
You’ve asked a similar question here before this post. Have you been naughty? :-)
At your uni, you probably have what’s called a reasonable expectation to privacy-- the terms of use for accessing the computer and network facilities would be spelled out at your uni’s IT website.
The information observed and reported on by their tools most likely amounts to what websites and services you looked up by name, and the IP addresses & ports you accessed while using their network. It will be things like start & stop times, protocol used, number of bytes transferred, and maybe some “flags” on the connection. Flags in this case are special markings on the data flow to give the network hints about how to hand that traffic most efficiently.
MS Office Online, Notion, Gmail, they all use secured HTTPS connections, so the content is secured between you and the remote service.
As long as you’re not doing anything illegal or that severely violates the terms of use laid out by the University, nobody will even notice your traffic. Hack away.
Eduroam is just a network of RADIUS servers that cross-honor authentication among participating institutions. If your org participates in Eduroam, it means users from your org can connect to the eduroam WiFi SSID at other orgs, and vice-versa. It’s helpful for traveling academics and visitors from other .edus
It’s also frequently used to authenticate access to online resources like online libraries, journals, and research infrastructure. Useful for when schools collaborate on grant projects.
The eduroam service requires a CA certificate to validate the APs broadcasting eduroam’s SSIDs are providing the real service. The issuer of that certificate isn’t one of the well-known SSL certificate resellers, so it needs to be installed in your device’s CA store, or configured in your 802.1x WPA supplicant. The protocol used is EAP-TLS, if you’re curious.
So what can the hosting institution see? Not much, from an authentication standpoint. Transactionally, the hosting institution sees a username and org name in an outer transaction. An encrypted payload with your user credentials is then tunneled to your home org’s servers which either validate or invalidate those credentials. If the home org validates, then the hosting org lets you connect.
Beyond that, the network admins can “see” whatever they can normally see when you’re using someone else’s infrastructure: your DNS queries, the application ports you use, a lot of encrypted SSL/HTTPS traffic, plus the contents of anything that isn’t encrypted or sent over SSL.
Some orgs disallow tunneling traffic out when you’re on their eduroam, so sometimes IPSec, SSH, Tor, and maybe even WireGuard are disallowed.
Sorry, I think this is very helpful but unfortunately I’m not english + don’t have much knowledge on the matter, so I really don’t understand much of the things you said…
Thank you for answering, but I must ask you (if you have the time) to explain if they could see or not what I was doing 😭
Short version: No, most likely not.
They see who you are, but not what you do.
Slightly longer: Someone can probably see your connections to google and notion and infer that you are using Notion, but they cannot see your Google/Notion account and not what content you are working on. (Also those are very popular tools, unless you are the enemy of the state number 1, why would they care?)
Even longer: If your laptop or your gmail or your notion account is compromised, they can see everything.
Compromised…? 😨 What do you mean
If your Web browser or OS accepts a CA issued by the school.
But how to check that
Navigate to notion.com. check the certificate. (Click on of the icons in the browser bar on the left). Remember what you see (take a screenshot)
Do the same in a different Wifi network.
If the certificate differs, this is highly suspicious.
No more than someone running a coffee shop wifi would see. Some basic traffic for name resolution then encrypted traffic for web browsing that they can’t read. Unless your notes application transmits in cleartext (unlikely).
You’ve asked a similar question here before this post. Have you been naughty? :-)
At your uni, you probably have what’s called a reasonable expectation to privacy-- the terms of use for accessing the computer and network facilities would be spelled out at your uni’s IT website.
The information observed and reported on by their tools most likely amounts to what websites and services you looked up by name, and the IP addresses & ports you accessed while using their network. It will be things like start & stop times, protocol used, number of bytes transferred, and maybe some “flags” on the connection. Flags in this case are special markings on the data flow to give the network hints about how to hand that traffic most efficiently.
MS Office Online, Notion, Gmail, they all use secured HTTPS connections, so the content is secured between you and the remote service.
As long as you’re not doing anything illegal or that severely violates the terms of use laid out by the University, nobody will even notice your traffic. Hack away.