The eduroam log viewer gives you visibility into the US top level RADIUS server (TLRS).

You see: 

  1. Authentication logs
  2. RADIUS server logs

The two halves of the log viewer likely won't exactly mirror one another - they are just two independent log feeds in the same dashboard.

If you want to correlate an exchange between the authentication log and RADIUS server log, you will need to examine the time stamp to match them up. 

You'll see logs of guests connecting from with their home realm through your site if you are operating as an eduroam Service Provider. If you're also operating as an Identity Provider, you'll see logs of your users' connections when they roam. 

The log viewer is built in Grafana

When to use the log viewer

  1. After you set up a new site, verify the configuration by checking for lines in the log viewer. 
  2. To validate that guests are connecting at your site. 
  3. To validate that your users are connecting at other sites while roaming. 
  4. If one of your users contacts you when they cannot connect to eduroam at another site, check if their attempted login reached the top level RADIUS server. 
  5. If you find a great use for the log viewer that you think would help other sites, let us know and we can add it to the page.

Getting to the log viewer

The same logs are reachable from two locations:

- Federation Manager portal

- https://logs.production.infra.eduroam.us/

To get there within Federation Manager: 

  1. Log into the eduroam Federation Manager portal: https://service1.internet2.edu

  2. Select your organization from the menu, if you have more than one.

  3. Click the button labeled Log Viewer in the header of your eduroam Federation Manager portal. 



Interpreting the log viewer screen

The log viewer dashboard has two panels, Authentication Logs and Server Logs. 

The log lines displayable and searchable in the viewer are increased to 10,000 lines (from 5,000 previously) as of July 2025. 

The logs available in the viewer are copied into a separate database for Grafana. Occasionally log history is missing in the viewer because of the issues upgrading the user/group provisioning system. If you need logs in a time window that appears to be missing, we can provide them to you directly. Contact help@incommon.org.

Authentication Log: 

Authentication Log columns, from left to right: 

  1. VISTINSTID: The column starts with the user's perspective, identified by their home institution 
    • VIS = visitor
    • InstID = their realm
    • VIS+INSTID = the realm of the visitor
    • If it's a guest at your organization, you'll see their home institution listed here. 
    • If it's your user at another organization, you'll see your realm here. 
  2. NEXTHOP: This is where the visitor went to get authenticated. 
    • If it's a guest at your institution, this is where your realm will show up. 
    • If it's your user at another institution, you'll see the place they visited in the NEXTHOP column. 
  3. RESULT: two results here, OK or FAIL. FAIL may contain more information in the next column. 
  4. FAILURE: this one can get complicated! It's discussed in more detail below. 
  5. VISCOUNTRY: A two or three letter code identifying the national roaming operator (NRO) this authentication passed through. Occasionally, there's an institution tied to an NRO that doesn't really belong to the country's RADIUS server it's connecting to, but that's unusual. Check this column to see what countries your visitors are based out of, or what countries your users have visited. eduroam is worldwide!
  6. EAPTYPE: lists the EAP type used for this exchange, or identifies an incomplete exchange.  
    • PEAP: Protected EAP, currently the most commonly used US eduroam authentication method. 
    • TLS: Transport Layer Security, associated with the certificate that's placed on a user's device for authentication; currently the second most common US eduroam authentication. 
    • TTLS: Tunneled Transport Layer Security, currently the least common method for US eduroam authentications. 

Troubleshooting with the log viewer

The Authentication Log shows if your RADIUS servers are communicating with eduroam US successfully. This section only shows exchanges that ended in an Accept or Reject message. 

If there are no logs:

  • There might be a problem with your configuration. 
  • Have you configured at least one device?
  • Do you have the ssid advertised?

If the RESULT column says OK, the exchange should have succeeded. 

If the attempt fails, we've tried to give some useful information about the failure. It's challenging because RADIUS does not give clear error messages. 

For best results: 

  1. Start with a scenario you are trying to troubleshoot
  2. Find a particular mac address you are troubleshooting in the eduroam TLRS logs
  3. Try to correlate the date/time/mac address with the internal logs you have on your organization's RADIUS server. 

Some reasons that show up in the FAILURE column: 

  1. The user's home identity provider sent an Access-Reject. This one is tricky, because it can be a valid access reject.
    1. If it's your user and you confirm internally that the request should have been rejected.
  2. The user's home identity provider didn't respond quickly enough and the authentication timed out. 
  3. The user's authentication message was missing the message authenticator attribute and FreeRADIUS logged the a message that includes many exclamation points (!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!) - part of the protection against a Blast RADIUS attack. 
  4. In other cases, a different error like lost packet fragments results in this column showing an Access-Reject message. 

The EAPTYPE column shows the EAP type of an exchange. If you see "Identity" in the column, the exchange did not complete so it should always end in a failure. 

RADIUS server log can be used to troubleshoot users whose failures don't show up in the columns above. 

If a request does not result in a successful or failed authentication attempt (due to a bad secret, or other processing error), it will not appear in the Authentication Log.  There should, however, be an entry explaining why it was rejected in the RADIUS Server logs.  

Reasons that result in failure that won't show up in the Authentication columns: 

  1. The user could be valid but have mistyped something. 
    1. The user mistyped their password.
    2. Commonly, we see typing errors in the realm - like example,edu or example.edj.

RADIUS Server Log: 

Specific Log Messages

If you have no Hotspot/SP-service configured, you might see a message that identifies an unknown client. 

  • log="Error: Ignoring request to auth address * port 1812 bound to server default from unknown client x.x.x.x port 1814 proto udp" visinst=test.edu nexthop=

If the RADIUS shared secret you have configured in the Federation Manager portal does not match the secret configured in your local RADIUS server, you will see this message in the log (emphasis added) 

  • Mon Jul 21 14:53:43 2025 : Info: Dropping packet without response because of error: Received packet from [ip-address] with invalid Message-Authenticator!  (Shared secret is incorrect.) (from client [ip-address]) VISINST=x.edu,NEXTHOP=

If the service provider IP address source is different from the one you registered in the eduroam configuration portal (Federation Manager) you will get this message. A common issue with new service provider deployments is that the source IP address we receive is different from the configured IP. 

  • Mon Jul 21 15:08:01 2025 : Error: Ignoring request to auth address * port 1812 bound to server default from unknown client [IP-Address] port 60396 proto udp VISINST=test.edu,NEXTHOP=

In most eduroam deployments, the identity provider IP address and the service provider IP address are the same IP address. However, at this time we still require the same server to be referenced twice. Make sure you enter that IP address in both locations if you are using a server for both roles. 

Searching - two options

  1. Filter Columns
    • Search for a particular result, failure reason, EAP type, visited institution - by clicking the funnel icon on any column.
  2. Detailed log searching
    • Go to the Explore view by clicking on the compass icon on the left side toolbar.
    • In the Explore view, you can search for any string in the RADIUS Server Logs by typing a query (shown below):
      • {record_type=”stdout”} |= “<search-string>”

    • Search the Authentication logs with the following query:

      • {record_type=”fticks”} != “<search-string>”
    • Then, hit the refresh icon.
    • Any logs that match the search string will appear in the lower window.

Changing Your Organization Context

If you are an eduroam Admin for more than one organization, you will be able to switch your Organization context from right within Grafana.

You can switch by clicking your avatar in the upper left-hand corner and choose 'Switch organization'. This will show a list of Organizations for which you are an eduroam Admin and give you an option to choose a different Organization.