EDUROAM - WiFi

How to connect to Eduroam network at MFF UK Karlin

This page contains information for users, who wants to connect to Eduroam network at MFF
UK, Sokolovská 83.

Technology
Terms of use
How to connect
Limitations
Security issues
Network monitoring
User support

Eduroam logo is registred trademark of
TERENA company.

Technology
For wireless connection, standards 802.11b/g and 802.11a are used.
Corridors, lecture rooms and offices in the building are covered by WiFi signal. User have to be authenticated (802.1x protocol) to use
the network.
Terms of use
  • It's incumbent upon all Eduroam users to respect the rules of host a home network
    and also the rules of CESNET, see
    www.cesnet.cz.
  • All Eduroam users are fully responsible for misuse of their personal data
    (password, certificate, ...), allowing access to the network.

All Eduroam users have to respect dean order 4/2008: Rules for using computers connected to the MFF UK network.

Important rules from orders

From CESNET academic network rules results some activities which are prohibited:

  • attempting to gain unauthorized access to resources of connected networks
  • infringing copyrights
  • activities which result in excessive load of network
  • activities which leads to user privacy disruption
How to connect
Account at any institution connected do Eduroam project is needed. You can find the list of instituions at
project www pages.

At Karlín you can be authorized against RUK authorization resources, all authorization attempts are passed through proxy.
If you want to find information about logins and passwords for MFF UK students and employees, visit
pages ÚVT UK. Follow following procedure.

The only possibility how to connect to Eduroam network at Karlín is using authentication mechanism defined by 802.1x standard

  • Data encryption between computer and access point – in Eduroam network is based on TKIP encryption with WPA key exchange
  • For authentication encrypted tunnel (802.1x, based on SSL) between access point and Radius server is made.
    Identity of authorizing server is based on his certificate.
  • Encrypted authentication data (login name and password) are sent using PEAP protocol,
    password coded with EAP-MSCHAPv2.

Step by step guides for your operating system can be found at site https://www.eduroam.cz/en/uzivatel/sw/uvod.

IP address is automatically assigned from DHCP server

Limitations
From security reasons, data transfer is between Internet and Eduroam is limited and only following protocols and services can be used:

Protocol Port/type Service
----------------------------------------------------------------
tcp 22 ssh Secure shell
tcp 25 smtp Simple Mail Transfer Protocol
tcp 37 time Timeserver
tcp 80 http Hyper Text Transfer Protocol
tcp 110 pop3 Post Office Protocol
tcp 119 nntp News
tcp 143 imap Mailbox Access
tcp 389 ldap LDAP directory services
tcp 443 https Secure HTTP
tcp 465 smtps Secure SMTP
tcp 563 nntps News (SSL)
tcp 636 ldaps LDAP directory services (SSL)
tcp 993 imaps Secure mailbox access
tcp 995 pop3s Secure Post Office Protocol
tcp 1194 ovpn Open VPN
tcp 1352 lotus Lotus Notes
tcp 2401 cvs CVS versioning system
tcp 3389 rdp Remote Desktop
tcp 3690 svn SVN versioning system
tcp 4156 avg AVG TCP server
tcp 5190 icq ICQ instant messaging
tcp 5222 jabber Jabber instant messaging
tcp 5223 jabber Jabber instant messaging (SSL)
tcp 8080 http Hyper Text Transfer Protocol (proxy)
udp 53 domain Domain Name Server
udp 123 ntp NTP clock synchronization
udp 1194 vpn OpenVPN
udp 3690 svn SVN versioning system
icmp 8 ping ICMP ping

Connected computers get IP address automatically from DHCP server from
public address range 195.113.26.2 - 195.113.26.126.

Security issues
Storing your password to registry is not secure, especially in combination with using privileged account
or account without password. Using ordinary user account protected with password is more secure and in this case
storing password to registry doesn't increase security risk. If is connected computer shared by more than one user,
every user should have his own password protected account.
It's highly recommended to install and use certificates for authentication servers. For Charles University users
CESNET certification authority is recommended.
You can lower man-in-the-middle attack risk with this. Don't forget that some programs doesn't share certificates.

All users are responsible for securing their computers. Computers can be target of attact and also source of attacks.
Only computers which are up to date with security updates, guarded with antivirus and firewall can be securely used on
internet.

Network monitoring
In Eduroam network, following (in accord with Czech Eduroam Association roaming policy) is monitored and logged:
  • authentication requests (802.1x, radius log)
  • DHCP requests
  • suspicious ARPA traffic
  • stare and traffic information on AP

Data are in database at least 6 months.

User support
In case of problems or misunderstanding (this page or Eduroam) you can contact
Karlín network administrators.