For wireless connection, standards 802.11b/g and 802.11a are used. Corridors, lecture rooms and offices in the building are covered by WiFi signal. User have to be authenticated (802.1x protocol) to use the network.

• It's incumbent upon all Eduroam users to respect the rules of host a home network and also the rules of CESNET, see www.cesnet.cz.
• All Eduroam users are fully responsible for misuse of their personal data (password, certificate, ...), allowing access to the network.

All Eduroam users have to respect dean order 4/2008: Rules for using computers connected to the MFF UK network.

Important rules from orders

From CESNET academic network rules results some activities which are prohibited:

• attempting to gain unauthorized access to resources of connected networks
• infringing copyrights
• activities which result in excessive load of network
• activities which leads to user privacy disruption

Account at any institution connected do Eduroam project is needed. You can find the list of instituions at project www pages.

At Karlín you can be authorized against RUK authorization resources, all authorization attempts are passed through proxy.

If you want to find information about logins and passwords for MFF UK students and employees, visit pages ÚVT UK. Follow following procedure.

• Visit Issuing center and take your student or employee identity card with. You get temporary password for Charles University Authentication Service
• Change your password at Charles University Authentication Service not later than 10 days after gaining temporary password
• Set your 802.1x password at Charles University Authentication Service . This paasword is separated from password which provides access to authenatication service.
• Your login will be "university_card_number@cuni.cz" and can be used anywhere in Eduroam network

The only possibility how to connect to Eduroam network at Karlín is using authentication mechanism defined by 802.1x standard

• Data encryption between computer and access point – in Eduroam network is based on TKIP encryption with WPA key exchange
• For authentication encrypted tunnel (802.1x, based on SSL) between access point and Radius server is made. Identity of authorizing server is based on his certificate.
• Encrypted authentication data (login name and password) are sent using PEAP protocol, password coded with EAP-MSCHAPv2.

Step by step guides for your operating system can be found at following sites:

Operating system	Support program	Instructions
Linux	xsuplikant	www.eduroam.cz www.eduroam.no
	WPA suplikant	www.eduroam.cz
Mac OS X		www.eduroam.no
Windows Mobile	suplikant Secure W2	www.eduroam.edu.au
Windows XP	MS configuration	PřF UK
	MS configuration, SP1	www.eduroam.cz
	Cisco Aironet Desktop Utility	www.eduroam.cz
	IBM Access Connection (v3.52)	www.eduroam.no
	IBM Access Connection (v4.23)	psik.mff.cuni.cz
Windows Vista	MS configuration	www.eduroam.cz
Windows Vista	MS configuration + certificate installation	net.zcu.cz
Symbian OS (Nokia 9500)		psik.mff.cuni.cz

IP address is automatically assigned from DHCP server

Protocol Port/type		Service
----------------------------------------------------------------
tcp     22      ssh     Secure shell
tcp     25      smtp    Simple Mail Transfer Protocol
tcp     37      time    Timeserver
tcp     80      http	Hyper Text Transfer Protocol
tcp     110     pop3    Post Office Protocol
tcp     119     nntp    News
tcp     143     imap    Mailbox Access
tcp     389     ldap    LDAP directory services
tcp     443     https   Secure HTTP
tcp     465     smtps   Secure SMTP
tcp     563     nntps   News (SSL)
tcp     636     ldaps   LDAP directory services (SSL)
tcp     993     imaps   Secure mailbox access
tcp     995     pop3s   Secure Post Office Protocol
tcp     1194    ovpn    Open VPN
tcp     1352    lotus   Lotus Notes
tcp     2401    cvs     CVS versioning system
tcp     3389    rdp     Remote Desktop
tcp     3690    svn     SVN versioning system
tcp     4156    avg     AVG TCP server
tcp     5190    icq     ICQ instant messaging
tcp     5222    jabber  Jabber instant messaging
tcp     5223    jabber  Jabber instant messaging (SSL)
tcp     8080    http    Hyper Text Transfer Protocol (proxy)
udp     53      domain  Domain Name Server
udp     123     ntp     NTP clock synchronization
udp     1194    vpn     OpenVPN
udp     3690    svn     SVN versioning system
icmp    8       ping    ICMP ping

Connected computers get IP address automatically from DHCP server from public address range 195.113.26.2 - 195.113.26.126.

Storing your password to registry is not secure, especially in combination with using privileged account or account without password. Using ordinary user account protected with password is more secure and in this case storing password to registry doesn't increase security risk. If is connected computer shared by more than one user, every user should have his own password protected account.

It's highly recommended to install and use certificates for authentication servers. For Charles University users CESNET certification authority is recommended. You can lower man-in-the-middle attack risk with this. Don't forget that some programs doesn't share certificates.

All users are responsible for securing their computers. Computers can be target of attact and also source of attacks. Only computers which are up to date with security updates, guarded with antivirus and firewall can be securely used on internet.

In Eduroam network, following (in accord with Czech Eduroam Association roaming policy) is monitored and logged:

• authentication requests (802.1x, radius log)
• DHCP requests
• suspicious ARPA traffic
• stare and traffic information on AP

Data are in database at least 6 months.

In case of problems or misunderstanding (this page or Eduroam) you can contact Karlín network administrators.