Zahlavi

eduroam

Basic information

The eduroam project was developed as a part of the TF-mobility program of TERENA, and its idea is to enable the transparent use of networks of linked organizations. Users can connect their portable computers as a guest in a foreign host organization to its local network. As a rule, a guest is connected via wi-fi or a fixed line. To authenticate a guest, their account (name and password or certificate) in their home organization is sufficient. Attachment points in the host organization allow remote authentication to the guest home organization where its account is located. Remote authentication takes place over the Internet via a secured encrypted channel.

For the purpose of remote authentication, eduroam creates a hierarchical connection of authentication (radius) servers. Every organization involved in eduroam must have its radius server for this purpose. Radius servers of organizations in one state are connected to the national proxy radius server. In the Czech Republic, the national server is maintained by CESNET. Information on eduroam policy (in Czech) and a list of organizations linked in the Czech Republic can be also find there. Individual states are covered by eduroam.org for further information. E.g. here you can find a map of connected countries where you can click on the pages of their main eduroam organizations.

The most convenient and frequent connection to eduroam in the host organization is wi-fi access points (APs). The user starts the Wireless Networking application on his laptop and selects a network from the current list of wireless networks that will usually be named eduroam and will connect to it. At the same time, the host organization determines what constraints it will set for users who will be connected to the eduroam network. Users may have more limited access to the Internet for security reasons and will certainly have limited access to the internal local network. The limitation is fully within the competence of the host organization. User logins and logouts to the eduroam network are logged in the host and home organization for security reasons.

Name and password to connect to eduroam

Each home organization connected to the international eduroam network maintains accounts for its members to connect to this network. In order to easily recognize accounts in the eduroam network from the point of view of membership in the organization, a suffix (realm) is used after the user's name. It is @ujf.cas.cz in the case of NPI. If the assigned name is for example user, then his name for connection to eduroam network would be user@ujf.cas.cz.

The rules for using the eduroam network are defined by the roaming policy of this network. Users have the following obligations:

  • Every roaming user is obliged to abide by the roaming conditions of the guest and home networks and the principles of acceptable use of the CESNET academic network.
  • Every roaming user is obliged to respond immediately to the calls and instructions of the network administration of the host and home network and the CESNET roaming center.
  • Every roaming user is fully responsible for misuse of his/her personal data (password, certificate, ...), allowing him/her to access the network.

As it follows from the principles of acceptable use of the CESNET academic network, users may not use this network for activities that:

  • enable or try to gain unauthorized access to the resources of connected networks,
  • violate intellectual property rights,
  • affect the operation of the network or its individual services, prevents users from accessing these services, threatens network activity or unduly limits its performance,
  • waste network capacity,
  • destroy the integrity of information stored on computers and other network elements,
  • restrict users' privacy.

For security reasons, NPI usernames and passwords are maintained independently of other systems. Interested employees from NPI have to send an e-mail confirming that they have become familiar with the content of this site and the eduroam roaming policy. Subsequently, the generated password will be sent by mail to them and confirmed by the user name (identical with the email address).

Setting up the computer to connect to eduroam

In terms of security, it is necessary to have a Certificate Authority (CA) certificate installed and configured on the device to be connected. Thanks to this, the authentication server alpha.ujf.cas.cz will be authenticated and thus a possible connection to a fake/pushed wi-fi network (or Ethernet network, if available) will be rejected. Please, be aware of any warnings about the connection's credibility. For example validation error means that the server failed to authenticate, or server xxx.yyy.zzz is not configured as valid for this connection... In such cases, please do not connect and consult with main IT department of NPI.

For personal computers it is strongly recommended using of installation packages (especially for Windows) that will configure the eduroam profile and make the necessary settings automatically - eduroam Configuration Assistant Tool.

In the field of mobile devices, install eduroam CAT aplication from appropriate store:

        iPhone/iPad     Apple App Store (iOS)
  Android Adroid Apps (Google Play)

Note: If you fill the Anonymous Identity field, use your username again as user@ujf.cas.cz.

Download certificates:

More detailed instructions and specific settings can be found in the following links:

Note: You do not need a personal certificate to use eduroam.

Access points

Only wireless (Wi-Fi) access points are operated at NPI at the moment. Technical parameters of NPI access points:

  • SSID (wi-fi network ID):  eduroam
  • Authentication:  802.1x (EAP)
  • Security (wi-fi):  WPA2
  • Encryption (wi-fi):  AES
  • IP adresses:  IPv4, non-public, NAT
  • Used devices:  Cisco

Connection restrictions in eduroam network:

  • Some outgoing services may be blocked by a firewall
  • The eduroam network is separated from the standard network of NPI
  • Similar restrictions are set to the NPI's internal network, as it is to an ordinary Internet user.
  • The user is assigned an IP address that is not visible from the Internet (behind NAT). This also corresponds to the limitations - it is not possible to establish a connection to this computer from the Internet, only from the computer to the Internet.

Eduroam coverage in NPI

Currently, eduroam coverage is available:

  • Office building (No. 351) - 2nd floor (Department of Theoretical Physics), also rooms No. 223, 222B, 222C, 113 (Meeting room).
  • Physics I - Department of Nuclear Spectroscopy (Building No. 274) – 1st floor Meeting room (No. 202)
  • Physics II - Department of Neutron Physics (Building no. 275) – Ground floor, Meeting room (No. 101)
  • Laboratory of Tandetron (Building No. 231) – Meeting room (No. 116) and rooms No. 112, 114, 117, 118.
  • Department of Radiation Dosimetry (Bulovka) – 1st Floor, Meeting room (No. 116)
  • The wi-fi signal coveres also the space around the above mentioned rooms (to a limited extent)

You can find a list of all places with connection in the Czech Republic at www.eduroam.cz.

See monitor.eduroam.org for a list of all sites connected worldwide.

Name „eduroam“ and eduroam logo are registered trademarks of the TERENA.

Information for guests

Three basic requirements must be fulfilled if you want to connect to eduroam:

  • Your home organisation must be connected to eduroam.
  • You must have your account in your home organization, which is used for connection to eduroam. Usually it is name and password or name and certificate. It depends on your home organization. Please, read information about eduroam at your home institution.
  • You must have your mobile computer set up for connection to eduroam. The connection can be established by the means of wi-fi only. Please, read information in your home organization how to set up your operation system in your computer. We can offer the set-up guide in Czech language only (can be reached at the Czech version of this document).

The basic rules to be followed are described in the Eduroam Username and Password section above.

You can get relevant information refering to eduroam from web sources:

IT information