WiFi network

Wireless network offers three connectivity options for employees and students, guests and conferences.

Guests (msekce-guest)

This network is intended for guests of the Mathematical Section without a contractual relationship with the Charles University. You must be registered user to use this network. Users are managed by the network administrators (M. Bejček, J. Richter, O. Ulrych). A personal visit to the network administrator office is required to set up the account. If a user already has an account, just write an e-mail to network administrators to add a WiFi connection option. If a guest already has account with an WiFi connection option, just set a password on this page. If you have problems with connection, contact network administrators with confidence.

Username for network msekce-guest is entered in the form login@msekce-guest.

Conferences (mff)

This network is used for workshops, conferences and similar one-time events, where there are many external participants. The network is not enabled by default. If you are interested in turning on this network for your event, please contact network administrators in advance (at least one week in advance). The network will only be active during the event. A specific password will always be set for each event.

Students and emplyees (eduroam)

This page contains information for users, who wants to connect to Eduroam network at MFF UK, Sokolovská 83.

Technology
Terms of use
How to connect
Limitations
Security issues
Network monitoring
User support
Eduroam logo is registred trademark of TERENA company.

Technology

For wireless connection, standards 802.11b/g and 802.11a are used. Corridors, lecture rooms and offices in the building are covered by WiFi signal. User have to be authenticated (802.1x protocol) to use the network.

Terms of use
  • It's incumbent upon all Eduroam users to respect the rules of host a home network and also the rules of CESNET, see www.cesnet.cz.
  • All Eduroam users are fully responsible for misuse of their personal data (password, certificate, ...), allowing access to the network.

All Eduroam users have to respect dean order 4/2008: Rules for using computers connected to the MFF UK network.

Important rules from orders

From CESNET academic network rules results some activities which are prohibited:

  • attempting to gain unauthorized access to resources of connected networks
  • infringing copyrights
  • activities which result in excessive load of network
  • activities which leads to user privacy disruption
How to connect

Account at any institution connected do Eduroam project is needed. You can find the list of instituions at project www pages.

At Karlín you can be authorized against RUK authorization resources, all authorization attempts are passed through proxy.

If you want to find information about logins and passwords for MFF UK students and employees, visit pages ÚVT UK. Follow following procedure.

The only possibility how to connect to Eduroam network at Karlín is using authentication mechanism defined by 802.1x standard

  • Data encryption between computer and access point – in Eduroam network is based on TKIP encryption with WPA key exchange
  • For authentication encrypted tunnel (802.1x, based on SSL) between access point and Radius server is made. Identity of authorizing server is based on his certificate.
  • Encrypted authentication data (login name and password) are sent using PEAP protocol, password coded with EAP-MSCHAPv2.

Step by step guides for your operating system can be found at site https://www.eduroam.cz/en/uzivatel/sw/uvod.

IP address is automatically assigned from DHCP server

Limitations
From security reasons, data transfer is between Internet and Eduroam is limited and onlyfollowing protocols and services can be used:
Protocol Port/type		Service
----------------------------------------------------------------
tcp     22      ssh     Secure shell
tcp     25      smtp    Simple Mail Transfer Protocol
tcp     37      time    Timeserver
tcp     80      http	Hyper Text Transfer Protocol
tcp     110     pop3    Post Office Protocol
tcp     119     nntp    News
tcp     143     imap    Mailbox Access
tcp     389     ldap    LDAP directory services
tcp     443     https   Secure HTTP
tcp     465     smtps   Secure SMTP
tcp     563     nntps   News (SSL)
tcp     636     ldaps   LDAP directory services (SSL)
tcp     993     imaps   Secure mailbox access
tcp     995     pop3s   Secure Post Office Protocol
tcp     1194    ovpn    Open VPN
tcp     1352    lotus   Lotus Notes
tcp     2401    cvs     CVS versioning system
tcp     3389    rdp     Remote Desktop
tcp     3690    svn     SVN versioning system
tcp     4156    avg     AVG TCP server
tcp     5190    icq     ICQ instant messaging
tcp     5222    jabber  Jabber instant messaging
tcp     5223    jabber  Jabber instant messaging (SSL)
tcp     8080    http    Hyper Text Transfer Protocol (proxy)
udp     53      domain  Domain Name Server
udp     123     ntp     NTP clock synchronization
udp     1194    vpn     OpenVPN
udp     3690    svn     SVN versioning system
icmp    8       ping    ICMP ping

Connected computers get IP address automatically from DHCP server from public address range 195.113.26.2 - 195.113.26.126.

Security issues

Storing your password to registry is not secure, especially in combination with using privileged account or account without password. Using ordinary user account protected with password is more secure and in this case storing password to registry doesn't increase security risk. If is connected computer shared by more than one user, every user should have his own password protected account.

It's highly recommended to install and use certificates for authentication servers. For Charles University users CESNET certification authority is recommended. You can lower man-in-the-middle attack risk with this. Don't forget that some programs doesn't share certificates.

All users are responsible for securing their computers. Computers can be target of attact and also source of attacks. Only computers which are up to date with security updates, guarded with antivirus and firewall can be securely used on internet.

Network monitoring

In Eduroam network, following (in accord with Czech Eduroam Association roaming policy) is monitored and logged:

  • authentication requests (802.1x, radius log)
  • DHCP requests
  • suspicious ARPA traffic
  • stare and traffic information on AP

Data are in database at least 6 months.

User support

In case of problems or misunderstanding (this page or Eduroam) you can contact Karlín network administrators.