IT Services

JANET Roaming ServiceConnecting to JRS (Windows XP)

Revision 1.3

Contents

Contents 1 1.1 Summary 2 1.2 Requirements 2 2. Before you start 3 3.1 What the JANET Roaming Service can offer you 4 3.2 Roaming AUP 4 4. Your roaming credentials 5 5. How to locate JRS guest network services 6 6. Connecting securely to the JANET Roaming Service 7 6.1 Connection requirements common to all tiers 7 6.2 Tier JRS1 – Web redirection / no encryption 7 6.3 Tier JRS2 and JRS3 – 802.1x login + various encryption 8 6.3 Configuring your computer for JRS2 and above 9 7. How to get support 12 8. How to report a security incident 13 Appendix A: JRS Technical Information 14

1

2

1.1 Summary

The JANET Roaming Service (JRS) is an initiative designed to provide roaming network access between participant sites in the UK education and research sectors for staff and students. JRS is a member of the international eduroam federation, which extends this facility worldwide.

This guide sets out the information required for a Windows XP user to connect to the JANET Roaming Service.

1.2 Requirements

To connect to the JANET Roaming Service using Windows XP, you will need:

A laptop with a wireless adaptor / card. As a minimum requirement, the wireless adaptor should support 802.11b. For JPS, PEAP or EAP-TTLS, and MSCHAPv2 are also required.

Windows XP Service Pack 2 is a minimum requirement.

WPA and WPA2 are supported by the University of Reading JRS. To update Windows XP to enable WPA2, see: http://support.microsoft.com/?id=893357

Up-to-date antivirus software and the latest patches and updates for Windows XP installed.

To familiarise yourself with the Rules for the Use of Computers and Data Networks, found on page G32 of the University Calendar, or at:http://www.reading.ac.uk/Calendar/2002-3/pdfs/0203G.pdf

3

2. Before you startUse this page to confirm you have been through all the stages required to connect to the JANET Roaming Service.

If you are using the service at the University of Reading, you will need to complete section (a). If you are visiting another site which is a member of the JANET Roaming Service or the eduroam federation, you will need to complete sections (a) and (b).

Do not write your password on this page!

(a) About the University of Reading (home site)

Username: Realm: reading.ac.uk JRS support site: http://www.reading.ac.uk/its/wireless/ JRS AUP location: http://www.reading.ac.uk/its/wireless/aup.html Support contact: its-help@reading.ac.uk +44 (0)118 378 6262 Support hours: Mon – Fri 08:30 – 19:00 during term times Mon – Fri 08:30 – 17:00 during vacations

(b) Guest site visit checklist

q My device works with the University of Reading JRS service and is prepared to accept dynamically-assigned IP addresses.

q I have read the AUP of the site I am visiting.

q I have confirmed the network services I require are provided by the site I am visiting.

q I have confirmed the University of Reading permits remote access to the facilities I require from the visited site.

4

3.1 What the JANET Roaming Service can offer youPrecisely what any particular site offers to its visitors in terms of networking services is determined by its local technological and policy constraints. If the visited site’s AUP (Acceptable Use Policy) differs from that of the University of Reading then you may not be able to access some web sites or other network resources that you would expect to from the University’s network, either through being forbidden to do so by the local AUP or by such content being actively blocked.

The central JRS web repository maintains a list of links to specific organisations’ JRS pages which detail these local policies. The repository can be found at:

http://www.ja.net/services/network-services/roaming/jrs-org-map.html

Note, however, that for you to use any services at the University of Reading via a JRS enabled visitor network, they must be accessible to off-site users – i.e. the University’s firewall must allow external access to them. If you have registered for VPN access, you can also use your VPN account to connect to the University’s network.

3.2 Roaming AUPAs a JRS user, you must:

a) Be aware of the University of Reading’s AUP and understand it applies equally when visiting another JRS or eduroam site.

b) Undertake to read the overall JANET Roaming Service policy document before using the service.

c) Undertake to read the visited site’s AUP (if applicable) before you start to use their network, and abide by it also.

d) Stop immediately if you are told you are breaking any of these policies.

In all cases, if you are unsure whether a given networking activity is permitted by the University of Reading’s or the visited site’s policies, you should seek clarification from the IT staff at the location before proceeding.

4. Your roaming credentialsYour roaming credentials are based on your University username and password. However, JRS needs to know where you are from as well as who you are in order to authenticate you, because it refers the request back from the visited site to the University of Reading for authentication.

The JRS realm for the University of Reading is ‘reading.ac.uk’, which needs to be attached to your username for use on JRS. So when you log in to JRS, you should use ‘username@reading.ac.uk’ rather than just your username. For example someone with a username ‘abc96def’ would need to use ‘abc96def@reading.ac.uk’ to log in to JRS.

IMPORTANT: While a JRS username looks like an email address, it isn’t necessarily the same as your actual email address. It is important not to confuse the two by attempting to log in to a JRS-enabled network with your email address (from the University of Reading or even a third-party one such as for Hotmail) since it will not work.

5

6

5. How to locate JRS guest network servicesIn the UK, a central register of JRS participant sites is maintained at:http://www.ja.net/roaming.

Similar national registers are maintained by other members of the eduroam federation and can be reached from the federation web site: http://www.eduroam.org/.

At the University of Reading, you will see the following wireless services advertised. For more information on JRS tiers, see Appendix A.

SSID Tier Authentication Security

eduroam JRS2 802.1x + WPA / WPA2 High

rdg.ac.uk N/A Web redirect None

It is strongly recommended that you connect to the service with the highest security level that your device supports. Most modern laptops are capable of connecting to the highest security service, ‘eduroam’. Older laptops and PDA devices may not be capable 802.1x or WPA / WPA2. For these devices, a web-based redirect service is available as ‘rdg.ac.uk’ but the use of this is strongly discouraged as there is no security on the ‘rdg.ac.uk’ network.

For more information on the JRS tiers, see Appendix A. If in doubt, seek advice from IT Services or the local IT support staff at the site you are visiting.

You should not connect to a wireless service or plug in to a wired network with the hope of finding a JRS-enabled facility without some clear indication that it is indeed intended as a guest service.

Individual JRS participant sites in the UK undertake to advertise their JRS-enabled services clearly to visitors. For wireless services, JRS adopts the standard ‘eduroam’ broadcast SSID, ensuring compatibility for visitors from non-UK eduroam member organisations. In most cases, you will also see signs or posters where services are available, displaying the JRS logo.

7

6. Connecting securely to the JANET Roaming ServiceThe connection process differs slightly depending on which service you choose to connect to, and the capabilities of your laptop or other wireless device.

6.1 Connection requirements common to all tiersWhichever tier you use, accessing wireless services requires you to associate with a service advertised via a broadcast SSID. Use of the service also requires that your computer is configured to accept automatically-assigned IP addresses.

6.2 Web redirection / no encryption (rdg.ac.uk)Having associated with the network by connecting to the appropriate SSID, you should first launch a web browser. Upon requesting an Internet site, the network will intercept your request and redirect you to the web-based login process for the service.

At this point, the authentication mechanism will check whether your web browser recognises the security certificate offered by the service. If it does not, or the certificate is out of date or any other problems with it are indicated, you must not proceed, even if you are offered the opportunity to trust the malformed certificate presented by the service. Official JRS visitor networks will always offer a valid certificate. Where there are problems with the certificate, it may indicate that you have been intercepted by a rogue website designed to trick you into giving away your credentials. Report all certificate problems to IT staff at the visited site.

Following a successful certificate check, you will be presented with the login screen. You should confirm that the login screen is presented on a secure web page (i.e. via HTTPS) before entering your credentials.

If your authentication is successful, you will be granted a period of network access, at least to the services detailed in Appendix A. The length of this access period and any mechanisms for actively logging off will be detailed in the visited site JRS documentation. At the University of Reading, these details are shown on the login screen.

8

6.3 Tier JRS2 and JRS3 – 802.1x login + various encryptionTier JRS2 and JRS3 tiers offer both secure authentication and a (variable) measure of data encryption to maintain your data privacy during your session.

As a guideline, tier JRS2 with WEP or WPA privacy offers a level of data protection sufficient to deter real-time exploits such as hijacking your connection or inserting bogus data into your communications. However, given sufficient time and computing power, a recording of your network traffic could be deciphered so it is recommended that you should only use protocols that apply their own data-level security (such as SSH, VPN or HTTPS, for example) when dealing with sensitive or private data. Otherwise, make the assumption that someone could potentially read your data later, and act accordingly. Tier JRS2 is the target that all JRS-enabled sites are working towards until hardware support for JRS3 becomes more widely available.

The University of Reading also supports the use of WPA2 privacy; other institutions may not support this privacy level due to hardware limitations. WPA2 privacy is deemed sufficient to deter all but the most determined efforts to break security. Therefore the ‘eduroam’ service at the University of Reading when used with a WPA2-capable client, and tier JRS3 services elsewhere are considered safe for the transfer of sensitive information such as user credentials without further encryption. Additional precautions are always advisable, however, as data may subsequently traverse public networks. The JRS3 tier service is always advertised as SSID ‘eduroam’.

All JRS visitor services in tier JRS2 and tier JRS3 should be completely transparent to users whose device is already appropriately configured to use their home JRS/802.1X wireless service with JRS credentials. No reconfiguration will be required. Since the login process is determined by the supplicant software you run on your client device communicating back to the home site (University of Reading), the processes involved and the login dialogues you see will always be the same. In fact, if you see any differences in the process, you should stop immediately as it is possible you are not connected to an official trusted JRS service.

9

6.3 Configuring your computer for JRS2 and above

You will need to configure your computer to connect to tiers JRS2 or JRS3 of the service. To do this, you need to go to a wireless zone on campus. Look for posters advertising the wireless zones, or see the IT Services web site at:http://www.reading.ac.uk/its/wireless

Click the Start button on your desktop and select Control Panel.

Find and open Network Connections.

In the next window, right click on Wireless Network Connection and select Properties from the pop up menu.

Next, click on the Wireless Networks tab, as shown in the following screen:

10

Click the Start button on your desktop and select Control Panel.

Find and open Network Connections.

In the next window, right click on Wireless Network Connection and select Properties from the pop up menu.

Next, click on the Wireless Networks tab, as shown in the following screen:

Select the ‘eduroam’ SSID and click Properties. If the ‘eduroam’ SSID is not shown:

Click the Authentication tab, as shown here:

o Click Add.o Enter ‘eduroam’ in the ‘Network name’ box.o Select ‘WPA2’ (or ‘WPA’ if WPA2 is not listed) for ‘Network Authentication’.o Leave ‘Data encryption’ on its default setting.

Tick the box next to ‘Enable IEEE 802.1x authentication for this network’ and ensure the ‘EAP type’ field displays ‘Protected EAP (PEAP)’.

Ensure the boxes shown next to ‘Authenticate as computer’ and ‘Authenticate as guest’ are not ticked, as shown above, and then click on the Properties button.

In the next screen, ensure the ‘Validate server certificate’ box is not ticked.

In the ‘Select authentication method’ field, select ‘Secured Password (EAP-MSCHAPv2)’, and then click the Configure button.

11

In the window that appears, leave the box next to ‘automatically use my Windows logon name’ blank, as shown below, and then click OK.

Click OK as many times as necessary to return to the initial ‘Wireless Network Connections Properties’ window.

In the list under ‘Preferred Networks’, make sure the ‘eduroam’ network is at the top of the list so it connects first.

Finally, click OK.

When you connect for the first time, a notification may appear by the taskbar asking you to select a certificate or enter credentials to connect to the network. You will need to click on this notification.

In the ‘User name’ field enter your JRS username, for example ‘abc96def@reading.ac.uk’; remember that this is not the same as your email address. In the ‘Password’ field, type your usual University of Reading password. Ensure the ‘Domain’ box is empty then click OK or press Enter on your keyboard.

You should now be connected to the JRS service.

12

7. How to get support

IT Services is your primary point of support, wherever you may be physically located. This is because JRS is designed such that all the actual processing of your a e have limited access to information that may help them troubleshoot any difficulty you are having.

IT support staff at the visited site are the appropriate contact for certain kinds of information, such as where access points are located, how to find the local AUP, etc. It is also possible that in resolving an issue, IT Services staff may contact staff at the visited site to co-ordinate with them in addressing a problem.

When using eduroam facilities overseas, bear in mind the normal support hours at the University of Reading! The contact information and support hours for IT Services are given in Section 2.

JRS in the UK does have a centralised support team, but they liaise directly with designated IT staff at the participant organisations. Users should never attempt to raise an issue directly with the central team.

13

8. How to report a security incident

The JRS system is designed to keep your credentials private as it passes them across the network from the visited site back to the home site to be authenticated. All visited sites undertake to maintain secure services for this purpose, and are required to notify your home site and JANET-CERT (the security team for UK academia) if the security of the system may have been breached, either by a security incident or by your behaviour as a user. Visited sites, the national JRS core and your home site maintain logs of all use of the JRS system for the tracing of such incidents.

As a user, you must:

Keep your credentials private!

Take steps, as instructed by your home site when they train you on JRS usage, to confirm that the JRS-enabled visitor services into which you type your credentials at a visited site are indeed legitimate, rather than rogue systems created by inimical third parties to trick you into providing your password.

Only use network services that provide an appropriate level of security for your credentials and personal data.

Avoid using any network service in a manner that could be construed as an attempt to determine someone else’s credentials, interfere with their sessions in any way or deny overall access to the service. The latter category might include broadcast of wireless beacons, advertising routing information, or replying to DHCP broadcasts.

Co-operate with any instructions by authorised staff at the visited site relating to secure use of their guest network(s).

Should you suspect that the privacy of your credentials has been breached, or that someone has tried to induce you to reveal your credentials, you should inform the IT support contact advertised on the visited site’s JRS documentation of your concern. They will then escalate the issue appropriately.

14

Appendix A: JRS Technical InformationJRS Tiers

14

Tier Auth type NAT IPv6 WEP WPA WPA2 SSIDs

JRS1 Web redirect May May Not applicable eduroam eduroam-web

JRS2 IEEE 802.1x May May Must (either) May eduroam eduroam-wep

JRS3 IEEE 802.1x No Yes No May Yes eduroam

Mandatory Service Set

Name Ports / Protocols IPv6 tunnel broker TCP & UDP 3653 IPSEC NAT traversal UDP 4500 Cisco IPSEC NAT traversal UDP 10000 PPTP VPN TCP 1723 & GRE OpenVPN TCP 5000 SSH TCP 22 HTTP TCP 80 HTTPS TCP 443 LDAP TCP 389 IMSP TCP 406 IMAP4 TCP 143 IMAP3 TCP 220 IMAPS TCP 993 POP TCP 110 POP3S TCP 995 Passive (S)FTP TCP 21 SMTPS TCP 465 Submit TCP 587 RDP TCP 3389 VNC TCP 5900 Citrix TCP 1495

Tier JRS1 may be withdrawn in the near future.

15

AUP Acceptable Use Policy – the set of rules governing what a user may or may not do whilst connected to a network.

CERT Computer Emergency Response Team – those responsible for reacting to computing security incidents. The UK academic team is JANET-CERT. Certificate In this context, a data file obtained from a trusted source that allows a user to confirm that a given network service (such as a web page) is also validated by that trusted source.

Eduroam The name of a federation of roaming network access initiatives in the educational sphere, of which the JANETRoaming Service programme in the UK is a member. Users with a JRS home site in the UK can gain guest access to networks at any eduroam organisation worldwide.

Home site The organisation that issues you with your username and password, i.e. where you are registered as a member of staff or student.

IEEE 802.1x A set of standards for network access control and authentication that ensure a client is authenticated to the network before being permitted access to network resources.

JANET The data network that connects the UK’s education and research organisations to each other, as well as to the rest of the world through links to the global Internet.

JRS The JANET Roaming Service.

JRS credentials Your username and password for requesting access to JRS-enabled networks. Usually based on your home site credentials, but with the addition of the appropriate realm to your username, e.g. abc96def@ reading.ac.uk.

In the course of the development and deployment of the Janet Roaming Service, specific terms have been developed and used for various roles in the infrastructure. The technologies deployed also carry their own technical jargon. This glossary is designed to help clarify some of the language that is used in describing the service.

Glossary

16

Realm A sequence of characters that identifies a home site, and is added to a home username to create an eduroam or JRS username.

SSID The ‘name’ of a wireless network that allows you to pick it from a list of those your client device can detect. Tier A level of service within the overall JRS programme in the UK. Multiple tiers are implemented in order to accommodate the various levels of expertise and resources at the wide variety of JRS participant sites, and to give an upgrade path as the technologies involved develop and mature. As a rule of thumb, a higher-numbered tier represents a more secure networking environment.

Visited site The organisation you are visiting when you request network access via JRS, i.e. your physical location.

WEP Wired Equivalent Privacy. WEP was intended to provide equivalent confidentiality and privacy as a wired Ethernet network, hence the name. Several serious weaknesses were identified by cryptanalysts, and WEP was superseded by WPA in 2003.

WPA Wi-Fi Protected Access. WPA is a class of systems to secure wireless networks. It was developed in response to the flaws found in WEP and was intended as a stopgap until WPA2 was completed.

WPA2 Wi-Fi Protected Access, revision 2. WPA2 is an implementation of the IEEE 802.11i standard for wireless security.

WPA2 Enterprise An implementation of WPA2 that makes use of dynamic security keys to ensure that every wireless client has its own security key and cannot decipher other wireless clients’ traffic.

Portions of this document are copyright the JNT Association. Some content taken from St. George’s University of London “Eduroam SGUL Users Windows XP Edition”.

© University of Reading 2007© The JNT Association 2006