1 Introduction and Purpose
This participation agreement; It sets out the principles regarding the operation and control of mobile network access on the National Academic Network (ULAKNET) operated by the National Academic Network and Information Center (ULAKBİM), an institute of the Scientific and Technical Research Council of Turkey (TUBITAK). The word eduroam is an abbreviation of the words “educational roaming” in all lowercase letters and is the TERENA registered backing. Detailed information about eduroam is available at
www.eduroam.org and www.eduroam.org.tr .
2 eduroam Service Provider Duties and Responsibilities
2.1 ULAKBİM is the service provider responsible for Turkey’s national eduroam service. He is the official of eduroam Turkey federation in cooperation with the European eduroam Confederation.
2.2 ULAKBİM maintains the coordination between the participating institutions by keeping contact information and maintains the connections with the authorization servers of the European eduroam confederation and federations.
2.3 ULAKBİM establishes and operates the national authorization server hierarchy.
2.4 ULAKBİM keeps the publication and connection information of eduroam member institutions and publishes them at www.eduroam.org.tr together with the contact information of the institutions so that users can receive technical support.
2.5 ULAKBİM ensures that the participating institutions comply with the rules and transactions in this contract.
2.6 ULAKBİM cannot charge any fees for the services they provide, and cannot use them for commercial purposes.
3 Duties and Responsibilities of the Participating Institution
3.1 The eduroam Turkey Participating Institution undertakes two different tasks as Identity Provider and Resource Provider.
3.2 The Participant Institution, as a Resource Provider or Identity Provider, cannot charge any fees for the services it provides, and cannot use it for commercial purposes.
3.3 Duties and Responsibilities of eduroam Identity Provider
3.3.1 eduroam Identity Provider is an eduroam Turkey participant institution that provides authorization with a username, password or certificate to enable access to its users within the organization and on eduroam member networks, as defined in the ULAKNET Usage Policy.
3.3.2 The identity provider must set up an authorization server within the terms set out in this policy. Having the identity provider’s secondary authorization server is preferable for redundancy.
3.3.3 The authentication servers of the identity provider must be accessible by the ULAKBİM eduroam national authorization server.
3.3.4 The identity provider should create an eduroam test account and submit the username and password to ULAKBİM for checking the connections and configuration. ULAKBİM must be notified before the test account is closed or its password is changed.
3.3.5 The identity provider should provide the necessary technical support for its users to connect from any eduroam resource provider.
3.4 eduroam Resource Provider Duties and Responsibilities
3.4.1 eduroam Resource Provider is an eduroam Turkey participant institution that provides network access to eduroam member institution users within its campus within the framework of ULAKNET Usage Policy.
3.4.2 The resource provider should establish a structure that complies with the IEEE 802.1x authorization standards.
3.4.3 The resource provider may use any medium for eduroam access.
3.4.4 The resource provider should broadcast the eduroam SSID (wireless network name) in a visible way. It should use “eduroam” as the SSID in all lowercase letters.
3.4.5 The resource provider must allow at least the following services to run for eduroam users:
• Standard IPsec VPN: IP protocol 50 (ESP) and 51 (AH) in and out directions; UDP/500 (IKE) upstream only,
• OpenVPN 2.0: UDP/1194 ,
• IPv6 Tunnel Broker service: IP protocol 41 upstream and downstream
• IPsec NAT-Traversal UDP/4500 ,
• Cisco IPsec VPN over TCP: TCP/ 10000 upstream only,
• PPTP VPN: IP protocol 47 (GRE) upstream and downstream; TCP/1723 upstream only,
• SSH: TCP/22 upstream only,
• HTTP: TCP/80 upstream only,
• HTTPS: TCP/443 upstream only,
• IMAP2+4: TCP/143 upstream only,
• IMAP3: TCP/220 upstream only,
• IMAPS: TCP/993 upstream only,
• POP: TCP/110 upstream only,
• POP3S: TCP/995 upstream only,
• Passive FTP: TCP/21 upstream only,
• SMTPS: TCP/465 upstream only,
• SMTP – STARTTLS: TCP/587 upstream only,
• RDP: TCP/3389 upstream only upstream ,
• SIP: UDP/5060 upstream and downstream,
• RTP: UDP/16384 to UDP/16484 upstream and downstream,
3.4.6 If the resource provider wants, they can define a dedicated VLAN for those who will connect to the eduroam network.
3.4.7 The resource provider has to store the network connection traces of the users so that the username, mac address and IP address information can be accessed at a later date. The traces to be obtained and stored from the Radius server must provide at least the following information:
• The exact date and time of the authorization request;
• Information of the requesting Radius server;
• Response to the authorization request;
• The reason why the denied authorization request was denied.
3.4.8 The resource provider should keep and keep the access traces in accordance with the provisions of the Turkish Penal Code, and present them when deemed necessary by the legal authorities.
3.4.9 The resource provider should publish local information about the eduroam service it has provided in Turkish and English in a dedicated area on the corporate web pages (Example: http://eduroam.universite.edu.tr). Published information should include at least the following headings:
• Information on compliance with this agreement and a link to this agreement (http:// eduroam.org.tr/eduroam_politika.pdf );
• ULAKNET Usage Policy URL link;
• The source provider’s Acceptable Use Policy URL link; • A list or map showing the
SSID information and coverage areas of the eduroam connection within the campus ; • The resource provider’s web caching server settings, if any; • URL link to www.eduroam.org.tr and the official eduroam logo; • contact information to provide technical support to the eduroam service; • If user activities are monitored, it should be clearly stated how they are monitored, how long the traces are kept, and who can access them.
3.5 Duties and Responsibilities of eduroam Users
3.5.1 The user’s own institution is the identity provider, and the institution he visits and wants to connect to the eduroam network is the resource provider.
3.5.2 The user is obliged to comply with the ULAKNET Usage Policy and the “Acceptable Use Policy” of the identity provider, if any. For this reason, the identity provider should inform users in its own institution about the policies it must comply with.
3.5.3 The user is responsible for the information he/she uses for network access. The identity provider provides its user with information such as username – password or certificate.
3.5.4 The user is responsible for checking that he is connecting to the real eduroam service and for the security steps to be implemented. It should only be connected to the broadcasts in the places specified in the eduroam federation and member institutions over the 802.1x secure network.
3.5.5 If the user suspects that his access information has been obtained by third parties, he should notify the identity provider.
3.5.6 The user should notify the resource provider and the identity provider about service interruptions and problems encountered in the eduroam network.
4 Communication
4.1 ULAKBİM can be reached via the e-mail address [email protected] for eduroam-related matters.
4.2 ULAKBİM operates the [email protected] news list, which includes the technical contact points of all Turkish eduroam Participating Institutions.
4.3 The Participating Institution should inform ULAKBİM about the contact details of the two technical communication points. Future changes in contact information should be notified to ULAKBİM.
4.4 The Participating Institution should notify ULAKBİM about issues such as security breaches, abuse or improper use, service interruptions as soon as possible.
5 Execution
5.1 This contract has been prepared by ULAKBİM. The contract that the participating institution will apply to its users must comply with this contract.
5.2 ULAKBİM may amend this agreement upon the request of the European eduroam Confederation. The Participating Institution must re-sign the changed contract.
5.3 The participating institution may cancel the contract without giving any reason. The request for cancellation of the contract must be notified to ULAKBİM at least 2 months in advance for the changes to be made in the eduroam service to be effective.
5.4 In cases where emergency interventions are required, ULAKBİM may stop the eduroam service partially or completely to protect the integrity and security of ULAKNET. In such a case, ULAKBİM informs the participating institutions about the event and its consequences.
5.5 ULAK-CSIRT alerts participating institutions to security vulnerabilities, security breaches and non-contractual uses via e-mail. If the warnings are ignored or the problem persists, ULAKBİM stops the participating institution’s access to eduroam.
5.6 The resource provider may block a specific user or identity provider by informing ULAKBİM to protect the security and integrity of their networks.
5.7 The identity provider may block one or more of its users from using the eduroam service.