Identity Provider (IdP, Authentication Server)

Radius Server (FreeRADIUS, NSP, ISE) 

 

 

 eduroam with edu-ID Radius Hosting Classic IdP Managed IdP
 Description

Do your users have an edu-ID? Give them access to eduroam using edu-ID

 Outsource configuration and operation of the RADIUS infrastructure to Switch  Run your own RADIUS infrastructure connected to your user directory Create eduroam user accounts manually. Ideal for institutions with a small user base.
 Strengths
  • Most secure connection using client certificates (EAP-TLS)
  • No separate eduroam credentials
  • No need to operate RADIUS infrastructure
  • Run by the eduoram Operations Team
  • No inhouse RADIUS expertise needed
  • Authenticate against internal user directory
 
  • Full control, no external dependencies
  • Users have instant access
  • Profiles can be provisioned on managed devices
  • Most secure connection using client certificates
  • No user directory and RADIUS needed
  • Works without SWITCH edu-ID
  • User management can be delegated
 
 Weaknesses
  • Only basic VLAN assignment possible
  • Less visibility on access logs > Admin Portal on the roadmap
  • Need to provide external access to user directory
  • Inhouse RADIUS expertise needed
  • Security issue: Sensitive credential used out of context
  • eduroam policy compliance needs to be ensured internally
 
  • Not suitable for bigger organisations
  • Increased effort for user management
 

 

'eduroam with edu-ID' IdP

The eduroam consortium operates a RADIUS infrastructure which is registered as a service in the eduGAIN interfederation. User can use their edu-ID to download and install a secure certificate-based eduroam profile.

Organisations on the other hand can decommission their local RADIUS infrastructure and eliminate the risk that user misconfigure their eduroam access or even leak their credentials to untrusty counterparts.

This IdP provides rudimentary VLAN assigment capabilities based on the 'eduPersonAffiliation' attribute with typical values being student, staff, alum or affiliate.

SWITCH encourages institution to consider switching from their self-hosted RADIUS server to this approach. Experience from other federations (UK, Netherlands) has shown that the number of support cases decreases dramatically when using this method in conjunction with the geteduroam app.

Please get in contact with us if you would like to enable 'eduroam with edu-ID'. This IdP can run in parallel with an already existing classic IdP, so you can do initial tests with it while still maintaining your proven RADIUS infrastructure. You might also want to consider using this method for your students, while keeping the on-prem IdP for your staff.

Managed IdP

https://hosted.eduroam.org

Documentation

The managed IdP is suitable for smaller institutions that don't want to operate their own RADIUS server and are not providing SWITCH edu-IDs to their users. 

User are being manually managed by the administrators of the organisation in the web interface. There is an additional option to create multiple user at once via batch upload, but we currently enforce a limit of 100 users per institution.

Once the users are successfully created, they can be invited to download an eduroam profile for installation on their devices.