Eduroam Romania
The Home of Eduroam project in Romania
 Home / Roaming policy


Eduroam Roaming Policy



Romanian Educational Network (hereinafter referred to as "ROEDUNET") and its members, public universities and other research institutions (hereinafter referred to as "members"), operate local area networks (LAN) in their premises. Their mutual concern is to ensure roaming among these LANs.

Article 1
Introduction

1.1 Roaming among separate networks should be bilaterally useful.
1.2 Cooperation among
ROEDUNET and individual members or among members themselves is based on mutual confidence.

Article 2
Definitions

For purposes of this roaming policy the following terms have the following meanings:
2.1
ROEDUNET roaming centre (hereinafter referred to as "RRC") - administrator of the national RADIUS server and the point where the Romanian wlan roaming structure is connected to the european level

2.2 PROXY - a system providing authentication and connection to the AAI structure (it is divided into: top, national and organizational level)

2.3 RRS - the Romanian roaming structure

2.4 ERS - the European level roaming structure

2.5 NOC - network operations centre

2.6 realm - a part of username located behind the "at" sign (@). The realm carries information about the user classification to his home organisation and country. E.g.: adi@utcluj.ro - the realm is "utcluj.ro"

2.7 The home network - the network of user's home organization and where his credentials are stored (username/password, certificate, ...)

2.8 The visiting network - this is a network where user connects by means of roaming but it is not his home network

Article 3
General provisions

3.1 This roaming policy is valid ONLY within the romanina roaming structure (CRS).
3.2 A username format is always name@realm.

Article 4
Roaming user's duties

4.1 Every roaming user is obliged to observe roaming conditions of his home and visiting network and the "Acceptable Use Policy of ROEDUNET network" (hereinafter referred to as "AUP")
4.2 Every roaming user is obliged to respond immediately to appeals and directives of home and visiting network's NOCs and CRC.
4.3 Every roaming user is fully responsible for abuse of his credentials (password, certificate, ...) which provide him access to the network.

Article 5
Home network operator's duties

The home network operator is obliged to:
5.1 Make users (not only local users but also users from other networks and organisations which cooperate in the roaming system) acquainted with roaming conditions of this 'home' network.
5.2 Provide technical support for local users (e.g. client software installation, provision of information about roaming, ...).
5.3 Provide authentication proxy services for foreign users who visit this network and want to connect according to the roaming system principles. Concurrently, he has to provide authentication information about his local users to the visiting network's authentication systems which his users are connected to (according to the roaming principles).
5.4 Require observance of the AUP by the users of his network during roaming and to investigate non-observance of the AUP.
5.5 Accept announcements about non-observance of the AUP by his local users in any of the visiting networks and deny to these users network access until investigation is finished.

Article 6
Visiting network operator's duties

The visiting network operator is obliged to:
6.1 Create his own AUP (roaming conditions) and publish it in a way that it is available to the users connecting to his network.
6.2 Cooperate with home network on technical support of users connecting to his network under roaming principles.
6.3 Ensure the roaming system is configured, maintained and operated safely. In particular, the visiting network operator shall use all reasonable endeavours to ensure that the security of other networks and its users cooperating in the roaming system is not endangered.
6.4 Provide authentication proxy services for foreign users who visit this network and want to connect under roaming principles. Concurrently, he has to provide authentication information about his local users to proxy systems of visiting networks which his users are connected to (under roaming principles).
6.5 Record and store in the log authentication information (IP address, username@realm, MAC address, ...) for a period of at least 6 weeks. This information has to be deleted or made anonymous after a maximum period of 2 months except where this information is used for identification or investigation of network abuse.
6.6 Upon request, make accessible relevant parts of log to the home network administrators, CRC administrators and police or bodies responsible for penal proceedings provided it is necessary for identification of network and network services abuse.
6.7 Accept announcements about network abuse and provide it immediately to the relevant home network where the user comes from.

Article 7
Proxy system administrator's duties

The proxy system administrator is obliged to:
7.1 Ensure security of all systems and networks connected to his proxy system.
7.2 Record to the log ALL user authentication requests (successful, unsuccessful, valid, invalid, ...).
7.3 Upon request, make accessible relevant parts of log to the relevant home or visiting network administrator, CRC and police or bodies responsible for penal proceedings provided it is necessary for identification of network and network services abuse. He is obliged to store this information as well as information according to paragraph
7.2 for a period of at least 6 weeks. This information has to be deleted or made anonymous after a maximum period of 2 months except where this information is used for identification or investigation of network abuse.
7.4 Provided it is necessary (for security or operational reasons), the proxy system administrator is authorized to limit or deny roaming access for separate user or whole realm.

Article 8
Sanctions

In case of breach of this policy or serious security abuse:
8.1 the proxy system administrator is authorized to disable authentication of users or whole realms;
8.2 the visiting network operator is authorized to disable roaming access on user or realm level;
8.3 the home network operator is authorized to disable roaming access on user level.

Article 9
Security abuse solution procedure

In case a user of another network (authenticated by roaming principles) appears in the visiting network and starts to generate an activity breaching the AUP, the procedure is as follows:
9.1 The NOC of the visiting network disables immediately on the local proxy system this user's roaming access to the network and informs immediately user's home network NOC and requests his blocking.
9.2 The visiting network NOC takes out a user blocking from the local proxy system as soon as it gets confirmation about user blocking on his home network.
9.3 Suspected user cannot use roaming service until the end of investigation.
9.4 In case the home network NOC does not respond to blocking requests according to this procedure, the national level proxy system administrator is authorized upon visiting network NOC request to block whole realm and place it on the "black list" within the scope of all CRS.