|
|
eduroam with edu-ID | Radius Hosting | Classic IdP | Managed IdP |
| Description |
Do your users have an edu-ID? Give them access to eduroam using edu-ID |
Outsource configuration and operation of the RADIUS infrastructure to Switch | Run your own RADIUS infrastructure connected to your user directory | Create eduroam user accounts manually. Ideal for institutions with a small user base. |
| Strengths |
|
|
|
|
| Weaknesses |
|
|
|
|
The eduroam consortium operates a RADIUS infrastructure which is registered as a service in the eduGAIN interfederation. User can use their edu-ID to download and install a secure certificate-based eduroam profile.
Organisations on the other hand can decommission their local RADIUS infrastructure and eliminate the risk that user misconfigure their eduroam access or even leak their credentials to untrusty counterparts.
This IdP provides rudimentary VLAN assigment capabilities based on the 'eduPersonAffiliation' attribute with typical values being student, staff, alum or affiliate.
SWITCH encourages institution to consider switching from their self-hosted RADIUS server to this approach. Experience from other federations (UK, Netherlands) has shown that the number of support cases decreases dramatically when using this method in conjunction with the geteduroam app.
Please get in contact with us if you would like to enable 'eduroam with edu-ID'. This IdP can run in parallel with an already existing classic IdP, so you can do initial tests with it while still maintaining your proven RADIUS infrastructure. You might also want to consider using this method for your students, while keeping the on-prem IdP for your staff.
For institutions that don't want to run the Radius parts of eduroam, Switch offers to host a dedicated RADIUS Server for you. This setup comprises two productive servers running in our data centers in Lausanne and Zurich and an additional test and monitoring infrastructure.
The RADIUS Server in turn query the institutional user directory - OpenLDAP, Active Directory, Entra ID are supported among others - to respond to authentication requests.
This is a chargeable service, but if your institution lacks the necessary RADIUS expertise, is running a RADIUS server only for eduroam and would like to get rid of it, this is an investment that will pay out in no time.
As the name implies, the classic IdP has been - and still is - the preferred method for authenticating eduroam users for many years.
In this scenario, the institution is operating its own RADIUS infrastructure. When an authentication requests arrive, the RADIUS queries the local user directory (LDAP, AD) to decide if the provided credentials are valid and the user can be accepted.
Running a classic IdP has the advantage that users don't need to be created manually, they already exist in the user directory. Additionally, a fine-grained and flexible VLAN assignment based on specific user attributes can be achieved this way.
For additional security, it is strongly recommended to use a separate eduroam password and not the one that is being used to access other internal services (Intranet, Mailbox, LMS).
With the option to deploy eduroam profiles using the SWITCH edu-ID and the raise of the Zero Trust Architecture - which is in contrast to permissions handling using VLANs - the need to manage a RADIUS infrastructure on campus might dimish over time. Especially if eduroam is the only reason to operate a local RADIUS server a migration to 'eduroam with edu-ID' might become an attractive option.
The managed IdP is suitable for smaller institutions that don't want to operate their own RADIUS server and are not providing SWITCH edu-IDs to their users.
User are being manually managed by the administrators of the organisation in the web interface. There is an additional option to create multiple user at once via batch upload, but we currently enforce a limit of 100 users per institution.
Once the users are successfully created, they can be invited to download an eduroam profile for installation on their devices.