Basic information about the Eduroam wireless network

Co je EDUROAM?

The name eduroam is an abbreviation of „educational roaming,“ referring to roaming between research and educational institutions. It is the name of a global project that enables users, primarily through wireless access, to connect to the Internet using the network infrastructure of participating institutions. A user with authorization credentials issued by an institution involved in the project can connect to the Internet through any institution that provides eduroam services.

 

The eduroam network connects educational institutions worldwide, and its operation in the Czech Republic is coordinated and supported by the CESNET association. The idea of enabling users to seamlessly use interconnected networks originated within the TERENA Mobility Task Force. The primary motivation is to make the use of network services as straightforward as using mobile operator roaming.

Important information for using the EDUROAM wireless network

Access credentials

Login:login@unob.cz
Password:(Assigned to the login)

Note: Users can find their login from their Initial Login Information. The identity is NOT an email address!

 

Wireless network

ID network (ESSID):eduroam
Bands:2,4GHz (802.11G), 5GHz (802.11A)
Security:protocol WPA2 (RSN)
Authentication model:802.1X (WPA2-Enterprise)
Authentication protocol:protokol EAP-MSCHAPv2
EAP-MSCHAPv2:protokol PEAPv0
Root certificate:UserTrust RSA Certification Authority
Cert. Server name:radius1.unob.cz

Pravidla pro užívání bezdrátové sítě EDUROAM

A user who has been assigned authentication credentials by the University of Defence declares that they are aware of their own responsibility for any use of the assigned access credentials and any devices connected to the wireless computer network (hereinafter referred to as the „network“), including any activity performed using these means, and undertakes to respect the General Principles for the Use of the Wireless Computer Network under the conditions of the University of Defence:

  • They will not provide their access credentials (login and password) to a third party and will take all measures to ensure the protection of these credentials against theft.
  • They will not record, store, or process classified information as defined by Act No. 412/2005 Coll. on the Protection of Classified Information and Security Eligibility, nor information marked FOR OFFICIAL USE (NATO UNCLASSIFIED and EU LIMITE) on a device connected to the University of Defence’s computer network (hereinafter referred to as the „connected device“), and they are aware of the consequences of violating the principles for protecting classified and designated non-classified information.
  • They will not use the connected device for the illegal distribution of copies of works protected by copyright laws or engage in any other activity that violates the laws of the Czech Republic.
  • They will comply with the access conditions set out in the Principles for Access to the CESNET Large Infrastructure and respect the Acceptable Use Policies (AUP) established by institutions connected to the CESNET2 National Research and Education Network, to which the University of Defence is connected.
  • They are aware that failure to comply with these requirements may result in disconnection from the network, disciplinary action, and other penalties depending on the severity of the violation.

The user acknowledges that the use of communication and computing resources in the premises of the University of Defence or their connection to the computer network may be subject to approval.

Connection configuration for eduroam - mobile operating systems

Instructions for Andriod

For devices equipped with the Android operating system, it is necessary to use the GetEduroam installation tool. If the user does not use this application, there is a risk of data leakage! If the user has a device running Android 8 or older, these systems are no longer supported, and we do not recommend using such devices. For this reason, we no longer provide instructions for these devices.

For the initial download of the application, an internet connection is required (e.g., a mobile hotspot).

Instructions for Iphone

Due to security reasons, iPhone devices cannot implicitly use third-party tools to import certificates into the device. For these devices, it is necessary to download the configuration from the following link:

https://cat.eduroam.org/

For the initial download of the application, an internet connection is required (e.g., a mobile hotspot).

Connection configuration for eduroam - desktop operating systems

Návod pro Windows

For devices equipped with the Windows 10 or 11 operating system, it is necessary to use the GetEduroam installation tool.

If the user does not use this application, there is a risk of data leakage! If the user is using another operating system such as Windows XP, 7, or 8, the use of these operating systems poses a significant risk due to the lack of ongoing support from Microsoft. For these reasons, we have decided to no longer provide instructions for configuring connections on these devices.

For the initial download of the application, an internet connection is required (e.g., a mobile hotspot).

Návod pro MacOS

Devices with the macOS operating system, due to the manufacturer’s security policy, do not support the installation of certificates from third-party applications. Therefore, it is necessary to follow the video tutorial. You must download the configuration file from https://cat.eduroam.org/. For the initial download of the application, an internet connection is required (e.g., a mobile hotspot).

Instructions fot Linux

  • The guide assumes basic knowledge and skills of the user in administering their Linux distribution, i.e., administrative rights on the computer, the ability to install and configure software, execute commands from the command line, and basic user proficiency in navigating this area independently. Therefore, it is not intended for complete beginners.
  • The guide describes the use of the wpa_supplicant command, which directly handles the automatic configuration and management of the wireless chipset using the so-called wireless extensions API and user authentication on wireless access points connected to the EDUROAM infrastructure. For the sake of usability across the widest possible range of Linux distributions, it intentionally does not include instructions for configuration in higher-level graphical environments (e.g., KDE, GNOME, Network Manager), as the appearance, versions, and configuration procedures in these environments may significantly vary across different Linux distributions.
  • We note that laptops typically have a physical switch (often located on the side) that can completely enable or disable the wireless adapter in the computer. If, after entering the iwconfig command, you do not see any wireless adapter, we recommend first checking the setting of this switch and ensuring it is set to the „on“ position.
  • It is absolutely essential that the target computer has:
 

Postup nastavení

Poznámka před vlastním postupem nastavení. Níže uvedené příkazy je potřeba spouštět v příkazové řádce linuxu s právy uživatele root. Většina současných distribucí však nedovoluje jejich přímé spouštění, ale dovolí obyčejnému, neprivilegovanému uživateli spouštět příkazy s právy roota pomocí příkazu sudo. Pokud se nejste schopni přilogovat se jako root, pak pravděpodobně před uvedené příkazy budete muset předřadit příkaz sudo, např. sudo cp …, sudo chmod … atd.

  1. Installed drivers for the used wireless adapter (this is typically handled by the Linux distribution during installation, where the computer’s hardware is automatically detected, and the appropriate drivers are installed. If this is not the case, it is necessary to reconfigure and recompile the driver modules in the kernel to include the module for the chipset of the required wireless adapter). The adapter should support the WPA2 security model, i.e., it should have the so-called WiFi certification (if the laptop has a sticker with the word „WiFi“ somewhere, then WPA2 is supported). Adapters supporting the WPA security model are also supported, but they must always support configuration via the so-called wireless extensions API, i.e., be configurable using the wireless-tools tools, which is a standard set of commands for controlling wireless chips in Linux. To check if the wireless adapter is recognized, use the command: iwconfig. The output must show a wireless interface named wlanX (where X is a number). However, the wireless-tools package, of which iwconfig is a part, must already be installed. This also verifies whether the wireless adapter supports configuration via the wireless extensions API: if the text „no wireless extensions“ does not appear after the wlanX interface, then everything is in order.

  2.  Installed and running DHCP client service (the dhcpcd software), which, upon connecting to the wireless network, obtains the computer’s IP address and the IP addresses of DNS servers from the DHCP server. We recommend checking the installed version of dhcpcd by running:


    dhcpcd –version

    to ensure it is version 5.X.X or higher due to support for so-called carrier detection. To verify that dhcpcd is running, use the command:

    ps w -C dhcpcd

    If successful, this will display information about the running dhcpcd process, including the arguments with which it was started..

  3.  Installed software wpa_supplicant (we recommend version 0.7.3 or higher; the configuration described below was tested with this version). After installing the wpa_supplicant package, you can check the installed version by running the command:


    wpa_supplicant -v

  4.  neběží vysokoúrovňový grafický správce síťových připojení NetworkManager.
    V případě, kdy běží a přejete si jej použít, můžete své síťové připojení nakonfigurovat dle informací uvedených v sekci Ostatní systémy níže.

    Pokud nemáte NetworkManager nainstalován nebo jej používat nechcete, pak pokračujte dále dle tohoto návodu.
    Nejprve je ale potřeba zajistit, aby NetworkManager neběžel – pokud totiž běží, pak okupuje komunikační socket wpa_supplicanta, takže byste wpa_supplicant nemohli přímo použít – proto musíte nejprve zajistit vypnutí NetworkManageru. To se liší v závislosti na typu inicializačního systému použitého ve vaší Linuxové distribuci (upstart, systemd, sysvinit, BSD), a proto pro jeho vypnutí budete muset vyhledat způsob, jak toto na vaší konkrétní distribuci provést.
    Typicky lze použít některé z těchto příkazů: u distribucí s upstart/SystemV (starší RedHaty, Debiany a jejich klony):

    sudo stop network-manager.

    u distribucí se systemd (současný RedHat, Debian 8 a novější + klony):

    sudo systemctl stop NetworkManager.service
    sudo systemctl disable NetworkManager.service

    u distribucí s BSD boot skripty (Slackware):

    /etc/rc.d/rc.networkmanager stop
    chmod a-x /etc/rc.d/rc.networkmanager

  1. Stáhněte si soubor s kořenovým a mezilehlým certifikátem ve formátu PEM pro ověření autenticity RADIUS serverů a uložte jej do adresáře /etc/ssl/certs.

  2. Stáhněte si konfigurační soubor wpa_supplicant.conf a uložte jej do adresáře /etc. Protože tento soubor bude obsahovat vaše autorizační údaje s heslem v čitelné podobě, zajistěte, aby jej mohl číst pouze uživatel root, zadáním příkazů

    chown root:root /etc/wpa_supplicant.conf
    chmod 0700 /etc/wpa_supplicant.conf

  3. Otevřete soubor wpa_supplicant.conf v textovém editoru a změňte v něm údaje IDENTITA a HESLO na své autentizační údaje (pozor, IDENTITA je ve tvaru login@unob.cz, a nikoliv jmeno.prijmeni@unob.cz!!!) a řiďte se přitom instrukcemi uvedenými v souboru.

  4. Ověřte, že se nacházíte v dosahu bezdrátové sítě UO zadáním příkazů
    ip link set wlan0 up
    iwlist wlan0 scan | grep eduroam

    Ve výsledném výpisu by se měl objevit alespoň 1krát identifikátor sítě (ESSID) eduroam. Tyto příkazy lze provést kdykoliv, kdy neběží wpa_supplicant. Doporučujeme je použít při prvotním odlaďování, aby byla jistota, že je vůbec možné se s AP spojit.

  5. Zahajte vlastní proces spojení s AP a autentizaci spuštěním příkazu wpa_supplicant s parametry:
    wpa_supplicant -D wext -i wlan0 -c /etc/wpa_supplicant.conf
    (wext znamená „použij wireless extensions“, wlan0 je název rozhraní vaší bezdrátové karty a parametr -c určuje cestu ke konfiguračnímu souboru). Pokud autentizace proběhne úspěšně, měl by se nejpozději do asi půl minuty objevit následující výpis podobný tomuto (důležité části jsou červeně zvýrazněny):

    Trying to associate with 00:23:89:d2:13:f0 (SSID=’eduroam‘ freq=2347 MHz)Association request to the driver failed
    Associated with 00:23:89:d2:13:f0
    CTRL-EVENT-EAP-STARTED EAP authentication started
    CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
    CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
    CTRL-EVENT-EAP-PEER-CERT depth=2 subject=’/C=US/ST=New Jersey,L=Jersey City,O=The USERTRUST Network/CN=USERTrust RSA Certification Authority‘
    CTRL-EVENT-EAP-PEER-CERT depth=1 subject=’/C=NL/O=GEANT Vereniging/CN=GEANT OV RSA CA 4′
    CTRL-EVENT-EAP-PEER-CERT depth=0 subject=’/C=CZ/L=Brno/O=Univerzita obrany/CN=radius1.unob.cz‘
    CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:radius1.unob.cz
    EAP-MSCHAPV2: Authentication succeeded
    EAP-TLV: TLV Result – Success – EAP-TLV/Phase2 Completed
    CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
    WPA: Key negotiation completed with 00:23:89:d2:13:f0 [PTK=CCMP GTK=CCMP]
    CTRL-EVENT-CONNECTED – Connection to 00:23:89:d2:13:f0 completed (auth) [id=0 id_str=]

    V případě potíží s konfigurací dle tohoto postupu se zaměstnanci Univerzity obrany mohou obrátit o radu na Bc. Jana Rafaje, tel. 44 3548.

    Důležitý je zejména poslední řádek – v případě úspěchu vždy začíná tagem CTRL-EVENT-CONNECTED. Příkaz přitom zůstane běžet. Jeho běh (a tím i odpojení od bezdrátové sítě) lze ukončit kdykoliv stisknutím CTRL+C.

    Pokud Váš DHCP klient funguje správně, měli byste do několika sekund nato získat IP adresu z DHCP serveru, což lze ověřit na jiném terminálu zadáním příkazu

    ip addr show dev wlan0

    nebo příkazem

    ifconfig wlan0

    Ve výpisu by měla být obsažena IP adresa začínající na 160.216.

    V případě neúspěšného spojení bude wpa_supplicant zkoušet proces nalezení vhodného AP a následného pokusu o autentizaci stále dokola. Kromě neustále pokračujícího výpisu bez CTRL-EVENT-CONNECTED je typickým příznakem (mimo jiné) následující skupina řádků, která se ve výpisu objevuje vždy na konci konkrétního neúspěšného pokusu o spojení:

    EAP-TLV: TLV Result – Failure
    CTRL-EVENT-EAP- FAILURE EAP authentication failed
    CTRL-EVENT-DISCONNECTED bssid=00:23:89:d2:13:f0 reason=0

    V takovém případě se ujistěte, že se nacházíte v dosahu bezdrátové sítě UO (viz výše), že jste zadali správné autorizační údaje do wpa_supplicant.conf a že nevypršela doba platnosti hesla, které jste zadali.

Additional information sources

Kontakty na technickou podporu OKIS

  • prap. Ing. Marian Jačo
  • +420 973 443 708
  • marian.jaco@unob.cz

Informační zdroje