The rules for using the eduroam network are defined by the roaming policy of this network. Users have the following obligations:

  • Each roaming user is required to comply with the terms of both the home and visited network, as well as the acceptable use policy of the CESNET academic network – see www.cesnet.cz.
  • Each roaming user is obliged to respond immediately to instructions and requests from the administrators of both the visited and home networks, as well as the CESNET roaming center.
  • Each roaming user is fully responsible for any misuse of their personal credentials (password, certificate, etc.) that enable access to the network.

For users from the Faculty of Science, Charles University, the use of the service is also governed by the Dean’s directive: Principles of Operation and Use of Computing Equipment at the Faculty of Science, CU

Devices equipped with wireless technology (WiFi)
– the radio interface must comply with the 802.11 standard. The device must also conform to valid laws and regulations in the Czech Republic (see the General Authorization of the Czech Telecommunication Office). The network interface/card must support WPA2 and the PEAP authentication protocol, with password encryption using MSCHAPv2.

Technical Implementation:

The security of the eduroam wireless network can be divided into four main components:

  1. Encryption of communication between the device and the access point – eduroam uses AES encryption with key exchange based on the WPA2 standard. During association between the device/laptop and the access point (AP), a session key for encrypted communication is negotiated, which is continuously refreshed (essentially with every transmitted packet). This prevents the type of attack known from the legacy WEP protocol, where the key remained static and could be discovered after capturing a relatively small number of packets. The key exchange and encryption persist throughout the entire session.
  2. Access to the wireless network is restricted to authorized users only. In larger networks, one or more authentication servers verify usernames and passwords (or certificates) for multiple access points. Therefore, a secure tunnel is established between the device and the authentication server, typically using the 802.1x protocol, which builds upon SSL. The user is not required to know the authentication server – this information is typically held by the access point. In large-scale networks like eduroam, multiple authentication servers are interconnected and forward requests among themselves. A secure tunnel is created between the device and the appropriate server. For example, if a user from Masaryk University in Brno connects at the Faculty of Science, CU (using a login with realm @muni.cz), the tunnel is established from the user’s laptop to Masaryk University’s authentication server. This tunnel setup enables various authentication methods for different organizations – some use username and password, others certificates. The tunnel is terminated after the authentication process is completed (access granted or denied).
  3. The data transferred inside the secure tunnel may be formatted in different ways, with PEAP being the most commonly used protocol. Within the tunnel, password transfer is most often handled using EAP-MSCHAPv2.
  4. One serious risk in a wireless network is rogue APs – an attacker may deploy an access point broadcasting the eduroam SSID along with a fake authentication server. Users attempting to connect will fail authentication, but the attacker may capture usernames and passwords. To mitigate this risk, two measures are recommended:
    • users must manually configure specific connection parameters on their devices/laptops (e.g., specific authentication protocols for each connection phase),
    • users should verify that the authentication server is trusted. This is done using certificate validation: when the 802.1x tunnel is established, the server presents its certificate, signed by a certificate authority. Users can configure their devices to trust only servers with certificates signed by a specified CA.

The eduroam name and logo are registered trademarks of TERENA.