Identity Provider (IdP, Authentication Server)

Radius Server (FreeRADIUS, NSP, ISE) 

 

 

eduroam with edu-ID Classic IdP Radius Hosting Managed IdP
 Description

Do your users have an edu-ID? Give them access to eduroam using edu-ID or Entra ID

Run your own RADIUS infrastructure connected to your user directory  Outsource configuration and operation of the RADIUS infrastructure to Switch  Create eduroam user accounts manually. Ideal for institutions with a small user base.
 Strengths
  • Most secure connection using client certificates (EAP-TLS)
  • No separate eduroam credentials
  • No need to operate RADIUS infrastructure
  • Run by the eduoram Operations Team
  • Full control, no external dependencies
  • Users have instant access
  • Profiles can be provisioned on managed devices
  • No inhouse RADIUS expertise needed
  • Authenticate against internal user directory
 
  • Most secure connection using client certificates
  • No user directory and RADIUS needed
  • Works without SWITCH edu-ID
  • User management can be delegated
 
 Weaknesses
  • Only basic VLAN assignment possible
  • Less visibility on access logs > Admin Portal on the roadmap
  • Inhouse RADIUS expertise needed
  • Security issue: Sensitive credential used out of context
  • eduroam policy compliance needs to be ensured internally
 
  • Need to provide external access to user directory
 
  • Not suitable for bigger organisations
  • Increased effort for user management
 

 

'eduroam with edu-ID' IdP

Authentication_geteduroam_ch

The eduroam consortium operates a RADIUS infrastructure - one of the nodes hosted on the Switch Cloud - which is registered as a service in the eduGAIN interfederation. User can use their edu-ID (or Entra ID) to download and install a secure certificate-based eduroam profile.

Organisations on the other hand can decommission their local RADIUS infrastructure and eliminate the risk that user misconfigure their eduroam access or even leak their credentials to untrusty counterparts.

This IdP can optionally provide information about the user in the realm based on the 'eduPersonAffiliation' attribute with typical values being student, staff, alum or affiliate. This can be leveraged for VLAN assignment at the institution.

Switch encourages institution to consider switching from their self-hosted RADIUS server to this approach. Experience from institution that have migrated show that the number of support cases decreases dramatically when using this method in conjunction with the geteduroam app.

Please get in contact with us if you would like to enable 'eduroam with edu-ID'. This IdP can run in parallel with an already existing classic IdP, so you can do initial tests with it while still maintaining your proven RADIUS infrastructure. You might also want to consider using this method for your students, while keeping the on-prem IdP for your staff.

Classic IdP

AuthenticationLocal

The classic IdP is hosted and operated by the institution. This way, institutions can operate fully autonomous within their own domain.

Radius Hosting

Radius Hosting

In this scenario, Switch is hosting and operating the IdP of the institution with the user authentication still happening against the user directory of the institution. With 'Radius Hosting' the institution doesn't need to run their own IdP anymore.

This service is fee-based. It is a good alternative for institutions that for some reason can't do 'eduroam with edu-ID/Entra ID', but don't want to operate their own IdP.

 

Managed IdP

https://hosted.eduroam.org

Documentation

The managed IdP is suitable for smaller institutions that don't want to operate their own RADIUS server and are not providing SWITCH edu-IDs to their users.

User are being manually managed by the administrators of the organisation in the web interface. There is an additional option to create multiple user at once via batch upload, but we currently enforce a limit of 100 users per institution. Use of this service is subject to a charge.

Once the users are successfully created, they can be invited to download an eduroam profile for installation on their devices.