Wireless network offers three connectivity options for employees and students, guests and conferences.
This network is intended for guests of the Mathematical Section without a contractual relationship with the Charles University. You must be registered user to use this network. Users are managed by the network administrators (M. Bejček, J. Richter, O. Ulrych). A personal visit to the network administrator office is required to set up the account. If a user already has an account, just write an e-mail to network administrators to add a WiFi connection option. If a guest already has account with an WiFi connection option, just set a password on this page. If you have problems with connection, contact network administrators with confidence.
Username for network msekce-guest is entered in the form
This network is used for workshops, conferences and similar one-time events, where there are many external participants. The network is not enabled by default. If you are interested in turning on this network for your event, please contact network administrators in advance (at least one week in advance). The network will only be active during the event. A specific password will always be set for each event.
Students and emplyees (eduroam)
This page contains information for users, who wants to connect to Eduroam network at MFF UK, Sokolovská 83.
For wireless connection, standards 802.11b/g and 802.11a are used. Corridors, lecture rooms and offices in the building are covered by WiFi signal. User have to be authenticated (802.1x protocol) to use the network.
- It's incumbent upon all Eduroam users to respect the rules of host a home network and also the rules of CESNET, see www.cesnet.cz.
- All Eduroam users are fully responsible for misuse of their personal data (password, certificate, ...), allowing access to the network.
All Eduroam users have to respect dean order 4/2008: Rules for using computers connected to the MFF UK network.
Important rules from orders
From CESNET academic network rules results some activities which are prohibited:
- attempting to gain unauthorized access to resources of connected networks
- infringing copyrights
- activities which result in excessive load of network
- activities which leads to user privacy disruption
- How to connect
Account at any institution connected do Eduroam project is needed. You can find the list of instituions at project www pages.
At Karlín you can be authorized against RUK authorization resources, all authorization attempts are passed through proxy.
If you want to find information about logins and passwords for MFF UK students and employees, visit pages ÚVT UK. Follow following procedure.
- Visit Issuing center and take your student or employee identity card with. You get temporary password for Charles University Authentication Service
- Change your password at Charles University Authentication Service not later than 10 days after gaining temporary password
- Set your 802.1x password at Charles University Authentication Service . This paasword is separated from password which provides access to authenatication service.
- Your login will be "firstname.lastname@example.org" and can be used anywhere in Eduroam network
The only possibility how to connect to Eduroam network at Karlín is using authentication mechanism defined by 802.1x standard
- Data encryption between computer and access point – in Eduroam network is based on TKIP encryption with WPA key exchange
- For authentication encrypted tunnel (802.1x, based on SSL) between access point and Radius server is made. Identity of authorizing server is based on his certificate.
- Encrypted authentication data (login name and password) are sent using PEAP protocol, password coded with EAP-MSCHAPv2.
Step by step guides for your operating system can be found at site https://www.eduroam.cz/en/uzivatel/sw/uvod.
IP address is automatically assigned from DHCP server
- From security reasons, data transfer is between Internet and Eduroam is limited and onlyfollowing protocols and services can be used:
Protocol Port/type Service ---------------------------------------------------------------- tcp 22 ssh Secure shell tcp 25 smtp Simple Mail Transfer Protocol tcp 37 time Timeserver tcp 80 http Hyper Text Transfer Protocol tcp 110 pop3 Post Office Protocol tcp 119 nntp News tcp 143 imap Mailbox Access tcp 389 ldap LDAP directory services tcp 443 https Secure HTTP tcp 465 smtps Secure SMTP tcp 563 nntps News (SSL) tcp 636 ldaps LDAP directory services (SSL) tcp 993 imaps Secure mailbox access tcp 995 pop3s Secure Post Office Protocol tcp 1194 ovpn Open VPN tcp 1352 lotus Lotus Notes tcp 2401 cvs CVS versioning system tcp 3389 rdp Remote Desktop tcp 3690 svn SVN versioning system tcp 4156 avg AVG TCP server tcp 5190 icq ICQ instant messaging tcp 5222 jabber Jabber instant messaging tcp 5223 jabber Jabber instant messaging (SSL) tcp 8080 http Hyper Text Transfer Protocol (proxy) udp 53 domain Domain Name Server udp 123 ntp NTP clock synchronization udp 1194 vpn OpenVPN udp 3690 svn SVN versioning system icmp 8 ping ICMP ping
Connected computers get IP address automatically from DHCP server from public address range 220.127.116.11 - 18.104.22.168.
- Security issues
Storing your password to registry is not secure, especially in combination with using privileged account or account without password. Using ordinary user account protected with password is more secure and in this case storing password to registry doesn't increase security risk. If is connected computer shared by more than one user, every user should have his own password protected account.
It's highly recommended to install and use certificates for authentication servers. For Charles University users CESNET certification authority is recommended. You can lower man-in-the-middle attack risk with this. Don't forget that some programs doesn't share certificates.
All users are responsible for securing their computers. Computers can be target of attact and also source of attacks. Only computers which are up to date with security updates, guarded with antivirus and firewall can be securely used on internet.
- Network monitoring
In Eduroam network, following (in accord with Czech Eduroam Association roaming policy) is monitored and logged:
- authentication requests (802.1x, radius log)
- DHCP requests
- suspicious ARPA traffic
- stare and traffic information on AP
Data are in database at least 6 months.
- User support
In case of problems or misunderstanding (this page or Eduroam) you can contact Karlín network administrators.