e-U Virtual Campus Roaming Service Term and Conditions of use (Portuguese Version - PDF )  

Foreword: This document is a translation from the original version written in the Portuguese language. The orginal version takes precedence over the translations.

Índice

Introduction and background
Participants in the roaming process  3
Home institution  3
Visited institution 
Roaming user 3
NREN
ANNEX 1 – Accounting mode
ANNEX 2 – Support model
ANNEX 3 – Minimum services
11

 

The e-U Virtual Campus is an initiative launched in 2003 under the Portuguese Action Plan for the Information Society, of which the FCCN is the technical coordinator. The e-U involves Services, Content, Applications and Mobile Communications Networks (inside and outside the University) for users of member institutions, encouraging and facilitating the production, access and sharing of knowledge among them.

 

The chief aims of the e-U Virtual Campus are:

 

• To foster the creation of on-line University services;
• To produce and share academic content;
• To create Higher Education communities, with three specific components:

 
     1. Investment in establishing Services and Content, available at any time,

 in any place;
     2. Massification of laptop computers usage ("one for everyone",

 student/lecturer);

     3. Access to the Internet and Intranet inside and outside the University Campus.

 

The aim of this document is to define the terms and conditions of participation and utilization relative to the e-U Virtual Campus, in particular its roaming service, to apply uniformly and equally to all the participants in the roaming process, that is: roaming user, home institution and visited institution.

 

The provisions set forth in this document may never overlap those that result from the RCTS (Science, Technology and Society Network) user Charter. This policy should be followed by all member institutions, whether they are the visited institution or the home institution, and it should be reflected in the document that is adopted internally to define the policies for the use of this Network by end users.

 

 

For the purposes of this document, the following are regarded as participants in the roaming process:

 

Visiting user – User who visits an institution and tries to get the e-U Virtual Campus network services.

 

Local user – Registered user that uses the services provided by e-U Virtual Campus network in his/her home institution.

 

Home institution – Institution where the visiting user is registered and with which the requests for authentication relative to the roaming process are exchanged.

                                                                      

Visited institution – The institutions where the visiting user physically is and where he/she tries to get the e-U network roaming services.

 

NREN - National Research and Education Network. The institution that manages and operates a national level network. In Portugal, the NREN (RCTS) in managed by FCCN.

 

Under its membership of e-U Virtual Campus, the visiting user’s home institution, should proceed as follows:

 

1. Provide its authorized users, and them alone, with valid credentials. 

2. Prepare and disseminate to its users a document that defines an AUP (Acceptable User Policy). This should make a point of including: the description of the roaming service provided; the obligations contained in this document, with any adaptations that may be imposed; and contact points and means of obtaining information on questions related to this matter. 

3. Take the necessary and sufficient measures so that its roaming users are made fully aware of the content and implications of the document mentioned in the preceding point. 

4. Ensure that all the records of an authenticated session, generated for a roaming user in a visited institution and sent to the home institution, are stored. Throughout the authenticated session the information on the roaming user must be kept as accurate and complete as possible, so that he/she can be identified, if necessary. 

5. Give technical and administrative support to both the local users and visiting users presented at any visited institution.

 

 

The visited institution by the roaming user, should proceed as follows:

1. Provide the roaming users, duly authenticated and authorized by the home institution, with at least the minimum set of services defined to the e-U Virtual Campus network. 

2. Publicize the roaming service in an appropriate place, as well as the respective terms and conditions of use, and the level of security with which the authentication data must be transmitted. 

3. Guarantee that the mechanism for transmitting credentials has a sufficient level of security. If this is not possible, the roaming user should be guaranteed the possibility of starting a secure session. 

4. Ensure that all the logs from authentication or network sessions, generated during the roaming process for any roaming user, are stored.

5. Send information about the start and stop of a network session to the home institution. The information exchanged between institutions (home and visited) during the authentication session should be as accurate and complete as possible. 

6. To determine, if applicable, what other network resources are made available to the roaming users in addition to the minimum set of services established for the e-U Virtual Campus network. 

7. All the support given to the roaming user must be provided by the home institution. The visited institution should only be involved in the support process, if it is concluded that a problem originates there and , even so, is not obliged to provide this support. 

8. The visited institution may block access to the network services to a roaming user, an institution or an NREN, whenever this is justified, informing FCCN/CERT.PT (www.cert.pt/) about the kind of block and the reasons for imposing it. The FCCN/CERT.PT should inform the affected institution/NREN about this measure and the respective reason. 

9. Should it be asked to do so by the CERT.PT, the visited institution must provide all the information available that will help to identify the home institution of the roaming user involved in a security incident. 

 

 

The roaming user must follow and accept the following principles:

 

1. The user is fully responsible for the confidentiality of his/her credentials. 

2. If the user credentials are (or thought to be) compromised, the user must report this occurrence to the home institution as soon as possible, so that they can be cancelled and new ones assigned. 

3. To comply with the AUP established and publicized by the visited institution for the e-U Virtual Campus network. 

4. All roaming users must be authenticated to their home institution, so that they can be given network access within the visited institution.

5. Roaming users should only attempt the authentication process after ensuring that their credentials will be transmitted in a secure form. 

6. The roaming users must be aware that, after successful authentication, the network resources assigned to him/her, may only comply with the minimum set of services defined for the e-U, Virtual Campus network, and he/she should therefore not expect the same level of service found at the home institution.

 

In the context of the e-U Virtual Campus roaming service and the European eduroam network, the FCCN (Portuguese NREN) is liable for the following:

 

1. The NREN is liable for managing and maintaining the national level authentication proxy servers. 

2. The NREN will provide redundancy within authentication proxy servers, specifically, with more than one proxy server. 

3. If technically possible, the integrity of relevant information received by the national authentication proxy servers, which is to be re-routed to another institution or NREN, must be assured. 

4. The NREN can block access to the roaming users of a particular home institution in the national authentication proxy servers. Such blocking and the reasons for it must be communicated to whoever is liable in the institutions involved via CERT.PT.

5. The NREN can block a particular institution in the national authentication proxy servers if this institution deliberately fails to comply with the provisions set forth in this document. 

6. The NREN must provide monitoring mechanisms that allow to obtain information about the state of the national authentication proxy servers. The results must be made available to interested parties, in particular to roaming users. 

7. The NREN is not liable for the confidentiality of data transmitted between a roaming user and his home institution. This must be ensured by the parties involved in the remote access process, that is, the roaming user and his home institution. 

 

The trust model between institutions participating in the e-U Virtual Campus network, with respect to the mobility of students and lecturers, is based on a hierarchical authentication infrastructure whose administration is distributed.

 

To reduce or mitigate any security incidents inherent to the misuse of users’ credentials or the improper use of resources, auditing tools must be provided and made accessible to those involved in the roaming process. These tools should enable the unambiguous tracing of a specific user or institution.

 

This annex defines the logged information to be sent by the visited institution to the home institution regarding any session by a roaming user, as well as the responsibilities of both in terms of data retention.

 

The visited institution must send the accounting information to the home institution at the start and end of each session by a roaming user, in particular the start and stop accounting logs.

                                                  

The visited institution must also keep authentication logs and session start and stop logs for 6 months (level 2 – accounting from access points; level 3 – DHCP accounting).

 

The home institution must keep the authentication logs and session start and stop information of its users for a period of 6 months.

 

The visited institution must guarantee the association of level 3 to level 2 logging and, desirably, implement IP anti-spoofing mechanisms into the infrastructure.

 

The computer systems of the visited and home institutions and those of the national authentication proxy servers operated by the FCCN involved in the accounting logs must have their clocks synchronized via the NTP – Network Time Protocol – preferably using the ntp01.fccn.pt and ntp02.fccn.pt servers.

 

 

 

This Annex describes the support model that the NREN will provide for the institutions envolved in the e-U Virtual Campus initiative.

1. General matters related to the operation of the authentication hierarchy should be addressed to.

E-mail: operacao@fccn.pt;

Telephone; +351 21 8 440 101;

Fax: +351 21 8 472 167.

 

The services provided are:

• Changing the access configurations allocated to an institution (realms and authentication servers, RADIUS secrets);
• Removing an institution from the national proxies;
• Adding an institution to the national proxies;
• Coordinating technical matters of general interest.

2. Security matters should be sent to the following contacts:

 

E-mail - report@cert.pt;

Telephone: +351 218440177;

FAX: +351 218440185.

 

To enable a proactive communication with them, the institutions participating in the e-U Virtual Campus network should give the following details (see institution information page in the Hotspot list page):

Name of institution

Name of person in charge

Postal address

E-mail address

 

 

This Annex describes the minimum set of services provided by all institutions within the e-U Virtual Campus network, to which the roaming users must have guaranteed access.

  

The minimum mandatory set of services are listed below:

 

• Public IP Service - Assigning a public IP address to each roaming user;

 

• VPN (Virtual Private Network) access to the outside of the visited institution, in particular with IPSec, PPTP, L2TP technologies, without prejudice to other technologies, present or future;

 

• Access to messaging service, in particular MSN and skype;

 

• Network services – Access from within the hotspot to outside the visited institution to the following network services:

 

• FTP (port 20 e 21);
• HTTP (port 80);
• HTTPS (port 443);
• IMAP (port 143);
• IMAP-SSL (port 993);
• POP3 (port 110);
• POP3-SSL (port 995);
• SMTP e SMTP AUTH (port 25) least for the RCTS address blocks, in particular 139.83.0.0/16; 146.193.0.0/19; 146.193.32.0/19; 146.193.64.0/18; 146.193.128.0/17; 158.162.0.0/18; 158.162.64.0/19; 158.162.96.0/20; 158.162.112.0/21; 158.162.128.0/18; 158.162.192.0/18; 192.12.232.0/24; 192.104.48.0/24; 193.136.0.0/15; 194.117.0.0/20; 194.117.16.0/2f1; 194.117.32.0/22; 194.117.40.0/22; e 194.210.0.0/16;
• SSH (port 22);
• TELNET (port 23);
• SMTPS (port 465).

If the visited institution provides its local users with a better class of service, it is recommended that it should opt to provide this same level of service to roaming users