eduroam

Participation Agreement

  1. Introduction and Purpose

    This participation agreement sets out the guidelines concerning the operation and control of the roaming internet access on ULAKNET (National Academic Network) which is operated by ULAKBIM (National Academic Network and Information Center), an institute affiliated to TUBITAK (Scientific and Technological Research Council of Turkey). eduroam is a TERENA registered trademark and is an abbreviation for “educational roaming” in lowercase. More information on eduroam is available at www.eduroam.org and www.eduroam.org.tr.

    2. Roles and Responsibilities of eduroam Service Provider

    2.1 ULAKBIM is a service provider responsible for the Turkish national eduroam service. It acts as the eduroam Turkish federation authority in Turkey, in cooperation with the European eduroam confederation.

 

2.2 ULAKBIM provides coordination between the participating organizations through their contact information, and maintains links with the European eduroam confederation and federations’ authentication servers.

 

2.3 ULAKBIM is establishes and operates a national authentication server network.

2.4 ULAKBIM keeps the publishing and connection information of eduroam member institutions and publishes them at www.eduroam.org.tr together with the contact information of the institutions so that users can receive technical support.

2.5 ULAKBIM ensures that the participating organizations adhere to the rules and procedures in this agreement.

2.6 ULAKBİM shall not charge any fees for the services it provides, and nor shall use for commercial purposes.

  1. Roles and Responsibilities of Participating Organizations


3.1 eduroam Turkey participating organization undertakes two different tasks as Identity Provider and Resource Provider.

 

3.2 The participating organization –either the Resource Provider or the Identity Provider– shall not charge any fees for the services it provides, nor shall seek any profit.

3.3 Roles and Responsibilities of eduroam Identity Provider

 

3.3.1 eduroam Identity Provider is an eduroam Turkey participating organization that provides authorization service with a username, password or certificate to enable access to its users within the organization and on eduroam member networks, as defined in the ULAKNET Usage Policy.

3.3.2 The identity provider must set up an authorization server within the terms set out in this policy. The identity provider having a secondary authorization server is preferable for redundancy.

3.3.3 The authorization servers of the identity provider must be accessible by the ULAKBIM eduroam national authorization server.

3.3.4 The identity provider should create an eduroam test account and submit the username and password to ULAKBIM for checking the connections and configuration. ULAKBIM must be notified before the test account is closed or its password is changed.

3.3.5 The identity provider should provide the necessary technical support for its users to connect from any eduroam resource provider.

3.4 Roles and Responsibilities of eduroam Resource Provider


3.4.1 eduroam Resource Provider is an eduroam Turkey participating organization that provides network access to eduroam member institution users within its campus within the framework of ULAKNET Usage Policy.

3.4.2 The resource provider should establish a structure that complies with the IEEE 802.1x authorization standards.

3.4.3 The resource provider may use any medium for eduroam access.

3.4.4 The resource provider should broadcast the eduroam SSID (wireless network name) in a visible way. It should use “eduroam” as the SSID in all lowercase letters.
3.4.5 The resource provider must allow at least the following services to run for eduroam users:

  • Standard IPsec VPN: IP protocol 50 (ESP) and 51 (AH) in and out directions; UDP/500 (IKE) upstream only,
  • Open VPN 2.0: UDP/1194,
  • IPv6 Tunnel Broker service: IP protocol 41 upstream and downstream
  • IPsec NAT-Traversal UDP/4500,
  • Cisco IPsec VPN over TCP: TCP/ 10000 upstream only,
  • PPTP VPN: IP protocol 47 (GRE) upstream and downstream; TCP/1723 upstream only,
  • SSH: TCP/22 upstream only,
  • HTTP: TCP/80 upstream only,
  • HTTPS: TCP/443 upstream only,
  • IMAP2+4: TCP/143 upstream only,
  • IMAP3: TCP/220 upstream only,
  • IMAPS: TCP/993 upstream only,
  • POP: TCP/110 upstream only,
  • POP3S: TCP/995 upstream only,
  • Passive FTP: TCP/21 upstream only,
  • SMTPS: TCP/465 upstream only,
  • SMTP – STARTTLS: TCP/587 upstream only,
  • RDP: TCP/3389 upstream only upstream,
  • SIP: UDP/5060 upstream and downstream,
  • RTP: UDP/16384 to UDP/16484 upstream and downstream,

3.4.6 If the resource provider wants, they can define a dedicated VLAN for those who will connect to the eduroam network.

3.4.7 The resource provider has to store the network connection traces of the users so that the username, mac address and IP address information can be accessed at a later date. The traces to be obtained and stored from the Radius server must provide at least the following information:

  • The exact date and time of the authorization request;
  • Information of the requesting Radius server;
  • Response to the authorization request;
  • The reason why the denied authorization request was denied.

3.4.8 The resource provider should keep and store the access traces in accordance with the provisions of the Turkish Penal Code, and present them when deemed necessary by the legal authorities.

3.4.9 The resource provider should publish local information about the eduroam service it has provided in Turkish and English in a dedicated area on the corporate web pages (Example: http://eduroam.universite.edu.tr).

Published information should include at least the following headings:
• Information on compliance with this agreement and a link to this agreement (http:// eduroam.org.tr/eduroam_politika. pdf);

  • ULAKNET Usage Policy URL link;
    • The source provider’s Acceptable Use Policy URL link;
    • A list or map showing the SSID information and coverage areas of the eduroam connection within the campus;
    • The resource provider’s web caching server settings, if any;
    •URL link to www.eduroam.org.trand the official eduroam logo;
    • Contact information to provide technical support to the eduroam service;
    • If user activities are monitored, it should be clearly stated how they are monitored, how long the traces are kept, and who can access them.

3.5 Roles and Responsibilities of eduroam Users


3.5.1 The user’s own institution is the identity provider, and the institution he/she visits and wants to connect to the eduroam network is the resource provider.

3.5.2 The user is obliged to comply with the ULAKNET Usage Policy and the “Acceptable Use Policy” of the identity provider, if any. For this reason, the identity provider should inform users in its own institution about the policies it must comply with.

3.5.3 The user is responsible for the information he/she uses for network access. The identity provider provides its user with information such as username – password or certificate.

3.5.4 The user is responsible for checking that he/she is connecting to the real eduroam service and for the security steps to be implemented. It should only be connected to the broadcasts in the places specified in the eduroam federation and member institutions over the 802.1x secure network.

3.5.5 If the user suspects that his/her access information has been obtained by third parties, he/she should notify the identity provider.

3.5.6 The user should notify the resource provider and the identity provider about service interruptions and problems encountered in the eduroam network.

4. Communication

4.1 ULAKBIM can be reached via the e-mail address eduroam@ulakbim.gov.tr for eduroam-related matters.

4.2 ULAKBIM operates the eduroam-teknik@ulakbim.gov.tr news list, which includes the technical contact points of all Turkish eduroam Participating Organizations.

4.3 The Participating Organization should inform ULAKBIM about the contact details of the two technical contact points. Future changes in contact information should be notified to ULAKBIM.

4.4 The Participating Organization should notify ULAKBIM about issues such as security breaches, abuse or improper use, service interruptions as soon as possible.

5. Enforcement


5.1 This agreement has been prepared by ULAKBIM. The agreement that the participating organization will put into effect for its users must comply with this agreement.

5.2 ULAKBIM may amend this agreement upon the request of the European eduroam Confederation. The Participating Organization must re-sign the amended agreement.

5.3 The participating organization may cancel the agreement without giving any reason. The request for cancellation of the agreement must be notified to ULAKBIM at least 2 months in advance for the changes to be made in the eduroam service to be effective.

5.4 In cases where emergency interventions are required, ULAKBIM may stop the eduroam service partially or completely to protect the integrity and security of ULAKNET. In such a case, ULAKBIM informs the participating organizations about the event and its consequences.

5.5 ULAK-CSIRT alerts participating organizations about security vulnerabilities, security breaches and non-contractual uses via e-mail. If the warnings are ignored or the problem persists, ULAKBIM stops the participating organization’s access to eduroam.

5.6 The resource provider may block a specific user or identity provider by informing ULAKBIM to protect the security and integrity of their networks.

5.7 The identity provider may block one or more of its users from using the eduroam service.

The Signing Party agrees that ULAKBIM fully understands, recognizes and will comply with the eduroam Turkey Participation Agreement.

Click here to access the original of the eduroam Turkey Participation Agreement.