Introduction to eduroam Visitor Access (eVA)

Download as PDFDownload as PDF

What is eVA

eduroam Visitor Access (eVA) is a managed IdP 'cloud' service for the creation of eduroam accounts for visitors. Organisations do not need to alter or configure their eduroam services in any way. The creation of eduroam accounts for visitors is carried out through a web portal to the backend eVA RADIUS server and guest user database. Authentication requests for eVA guest user devices are handled by the subscribing organisation’s existing eduroam infrastructure. eVA guests are authenticated by the eVA IdP in exactly the same way as for any eduroam visitor.

eVA allows the organisation to gain even more value from its existing eduroam infrastructure and since visitor access account creation is delegated to the staff needing to perform this function allows central IT team/facilities administration to concentrate on their core activities. eVA means you can avoid needing to add and delete guest accounts in the organisation user directory.

Events organisers and university staff who act as hosts to visitors from non-eduroam organisations (or even individuals not affiliated with any organisation) can be enabled to create guest eduroam accounts that are valid for the duration of the visit - the visitor receives the eduroam credentials and device setup help via e-mail, SMS or even via print out. eVA is fully CAT-enabled, thereby facilitating problem-free user device setup.  

How visitor accounts are created

Using the eVA web portal, the product provides a number of ways for visitor accounts to be created and for the associated credentials to be advised to the visitors. This means that the service can support visitors who are known to the host as well as providing for visitors who turn up on the day. Credentials can be delivered to visitors by e-mail, SMS or on paper/verbally.

Guest accounts can be set up individually by the host entering the name, e-mail, mobile number and account validity dates into the portal. eVA Create Temporary Accounts in Five Steps. The account setup welcome message that is generated by the system for the guest users contains credentials (and link to instructions on how to set up eduroam/CAT for eVA) and can be distributed by e-mail and/or SMS.

The portal also allows events organisers/hosts to create accounts in bulk by uploading a csv file containing the requisite details. The account setup welcome message will be distributed by e-mail and/or SMS.

If a group of guests is due to visit but you don't know the names of the delegates in advance, you can create a group of non-user-specific accounts in advance and distribute the credentials manually on the day of the visit.

For events where attendees turn up on the day, e.g. open days, eVA has the further capability of ‘self-service’ provision of guest accounts using the SMS-request account feature.

How the SMS-request function works: SMS-request accounts can be created by the guest sending a text to the eVA SMS-request number (+44 7860 039833) using a keyword, that the events organiser defines, in the message. eVA creates an account and texts the credentials (and a link to instruction on how to set up eduroam/CAT for eVA) to the guest.

The guest can then either use the credentials directly to insert into their device supplicant or use 3/4G to access the eduroam CAT via a URL link https://cat.eduroam.org/?idp=2177 and download the CAT installer that will set up the guest’s device 100% correctly. The organiser can enable the guest account to be valid for a very short duration up to five days maximum (since there is only a very limited traceability of the user based simply on mobile phone number).

Restrictions

In order for the range of visitor type/credentials distribution methods to be compliant within the eduroam(UK) Policy, authentication of eVA visitors is restricted to the host organisation network – inter-institution roaming is not supported for eVA visitor accounts.

Membership of UKAMF/eduGAIN is essential since log in to the eVA portal (which enables the admins/events organisers/hosts at the organisation to use the service) is only supported through federated SSO via eduGAIN. Prospective participants should check that their SSO system can release the attributes required to the eduroamvisitoraccess SP.

See https://community.jisc.ac.uk/system/files/257/eVA%20SAML%20SSO%20Guidance.pdf

Setting up devices to work with eVA

To facilitate the setup of visitor devices to work with eduroam the eVA identity management system utilises the eduroam CAT service – therefore getting the devices set up is a straightforward process although the organisation should expect to provide some support for the occasional user who experiences difficulty. After guest have received their credentials they should go to https://cat.eduroam.org/?idp=2177 for the installer (web site auto-detects the client).

Users may of course set up their devices manually themselves although this is not recommended, using the credentials that are e-mailed to guests. The system utilises PEAP/MSCHAPv2.

Management

The service has powerful management functions that provides for various profiles of hosts to be created thereby enabling the various different types of host to be given appropriate permissions to use the various account creation means, visitor account distribution methods, set appropriate maximum validity periods, and maximum number of accounts that may be created.

How to participate

eduroam Visitor Access is a chargeable add-on service to eduroam and application to participate can only be accepted from authorised senior management staff at the organisation. Participating organisations must of course have an operational eduroam service and since access to the eVA portal is only possible by using federated single sign on, the organisation must also participate in UKAMF or eduGAIN.

The Jisc web site product page is at: https://www.jisc.ac.uk/eduroam-visitor-access

To request a quotation or to place an order: https://www.jisc.ac.uk/forms/start-using-eduroam-visitor-access