Introduction to eduroam Visitor Access (eVA)

Download as PDFDownload as PDF

Contents

Network and technology service docs

Updated 26/04/2022

On this page:

  • What is eVA?
  • About visitor accounts
  • How visitor accounts are created
  • Management
  • Service Restrictions/Pre-requisites
  • Setting up devices to work with eVA
  • How to participate

What is eVA?

Guests become eduroam visitors for the duration of their stay: eduroam Visitor Access (eVA) is a managed IdP 'cloud' service for the creation of eduroam accounts for visitors. Guests from outside the eduroam community connect to your standard eduroam service using temporary accounts that you create in the eVA managed IdP. Since the accounts have the 'eva.ac.uk' realm name they appear to your eduroam service simply as normal eduroam visitors.

Completely separate from your internal systems: Organisations do not need to alter or configure their eduroam services in any way nor worry about adding temporary accounts in the organisations LDAP database/user directory. Authentication requests for eVA guest user devices are handled by the organisation’s existing eduroam infrastructure. eVA guests are authenticated by the eVA IdP in exactly the same way as for any eduroam visitor.

Easy creation of guest accounts using the eVA web portal: the web portal makes it easy for your admin staff, events organisers, visitor hosts etc to create eduroam accounts for visitors in the guest user database on the backend eVA RADIUS server. (Nb API is available for systems integration if required).

Save costs, leverage value: eVA allows the organisation to leverage value from its existing eduroam infrastructure and since visitor access account creation is delegated to the staff needing to perform this function, allows central IT team/facilities administration to concentrate on their core activities. Whilst eVA guest accounts are true eduroam accounts, you don't need to add and delete temporary accounts in your own the organisation user directory.

Set-service/kiosk function available: the optional SMS-account-request function enables visitors to request guest accounts by SMS. By sending an event/day specific keyword text, guest accounts can be provisioned by return of SMS. Perfect for open days and conferences,

Easy device setup options for visitors: the CAT and geteduroam systems are fully supported and visitors receive welcome e-mail and/or text with credentials and setup instructions for PEAP/MSCHAPv2 authentication. The EAP-PWD method is supported too which means hassle-free connection for Android users.

Flexible deployment solution: The eVA hosting web portal provides events organisers and university staff who are acting as hosts to visitors with an easy-to-use tool that allows them to create guest accounts for their visitors for the duration of the visit. This provides the solution for provision of guest accounts for visitors who are not from an eduroam organisation (or individuals not affiliated with any organisation).

Portal users are grouped into Profiles that the organisation's service Administrators manage. Each Profile can be tailored as appropriate to suit  the category of portal user. The various ways that guest accounts can be created can be managed together with parameters such as the number of accounts and duration of account that a host can create.

About visitor accounts

Using the eVA web portal, the service provides a number of ways for visitor accounts to be created:

  • individually using visitor name, e-mail address and/or mobile number
  • in batches by uploading a csv file containing visitor name, e-mail address and/or mobile number
  • as a group of non-defined visitors, credentials can be assigned to and recorded against individuals on the day of issue
  • by user self-service SMS-requested accounts, event key word is sent to service SMS number and credentials returned by text, more info
  • quick 1 day account create feature using just an e-mail/mobile number - to cater for unexpected guests!

Whilst provisioning of the guest account before arrival, via e-mail, is the best solution, visitor credentials and how-to-connect guidance can be delivered on campus by SMS, 4G-enabled e-mail or even in paper form via a print out in a welcome pack

Validity of accounts:

  • accounts can be set up in advance of the visit or event
  • the duration of validity can be set between 1 day and 1 year
  • password length can be adjusted to satisfy organisation policy

Delivery of account credentials/account welcome message - there's a number of ways for the visitor to receive account information:

  • e-mail 
  • SMS (host provisioned or self-service SMS-requested accounts)
  • on paper/verbally

This means that the service can support visitors who are known to the host as well as providing for visitors who turn up on the day. 

Eligibility:

Any visitor who would be eligible to be connected to your Janet-supported network may be connected using eVA. This means that any visitor from the academic, research or cultural community is eligible as well as anyone whose visit is related to your organisation's academic, research and cultural engagement mission or the provision/delivery of supporting services may be connected. Non-related visits by the public for instance to cafes or third party operated ventures are excluded.

How visitor accounts are created

Standard, per guest, creation - guest accounts can be set up individually by the host entering the name, e-mail, mobile number and account validity dates into the portal. eVA Create Temporary Accounts in Five Steps details how to use the eVA portal to do this. The account setup welcome message that is generated by the system for the guest users contains credentials (and link to instructions on how to set up eduroam/CAT for eVA) and can be distributed by e-mail and/or SMS.

Batch creation by csv upload - the portal also allows events organisers/hosts to create accounts in bulk by uploading a csv file containing the requisite details. The account setup welcome message will be distributed by e-mail and/or SMS.

Non-defined group creation - if a group of guests is due to visit but you don't know the names of the delegates in advance, you can create a group of non-user-specific accounts in advance and distribute the credentials manually on the day of the visit.

SMS-requested creation for events - for occasions where unknown attendees turn up on the day of an event, (but who are still legitimate visitors) e.g. open days, eVA has the capability of ‘self-service’ provision of guest accounts using the SMS-request account feature.

How the SMS-request function works: SMS-request accounts can be created by the guest sending a text to the eVA SMS-request number (+44 7860 039833) using a keyword, that the events organiser defines, in the message. eVA creates an account and texts the credentials (and a link to instructions on how to set up eduroam/CAT for eVA) to the guest.

The guest can then either use the credentials directly to insert into their device supplicant or use 3/4G to access the eduroam CAT via a URL link https://cat.eduroam.org/?idp=2177 and download the CAT installer that will set up the guest’s device 100% correctly. The organiser can enable the guest account to be valid for a very short duration up to five days maximum (since there is only a very limited traceability of the user based simply on mobile phone number).

SMS-requested accounts can be valid from one to a maximum of five days.

Further information about the SMS-request function

Management

Portal User/Hosts - The service has powerful management functions that provides for various profiles of hosts to be created by the  organisation's eVA access administrator (AAI Coordinator) and portal users with Admin roles. By creating different Profiles and tailoring the assigned permissions, various categories of portal user/host can be given appropriate permissions to use the various account creation means, visitor account distribution methods, set appropriate maximum validity periods, and maximum number of accounts that may be created etc.

eVA now supports team management of guest accounts, so a guest account created by one member of a host team can be seen and modified by all members of the team.

CERT and Admin portal users - the portal Admin users can create additional Admin and CERT users as well as normal portal users. Normal portal users (hosts) are created simply by the Admin adding the e-mail address of the user into a Group Profile. But for Admin and CERT users, the Admin must use the drop down menu under their own account drop down menu - which can be found on the top right hand side of any eVA portal page. Click on your username and the drop down menu will appear with the options: Help & Support; Invitations; Logout. Click on 'Invitations' and click the [New invitations] button. Enter the user's e-mail address and select the required roles from the options: Organization Admin, Organization CERT. Click on the [Submit] button.

Alternatively, you can send in a request to eduroam(UK) for a normal portal user’s permissions to uprated to CERT and/or Admin. 

Service Restrictions/Pre-requisites

In order for the range of visitor type/credentials distribution methods to be compliant within the eduroam(UK) Policy, authentication of eVA visitors is restricted to the host organisation network – inter-institution roaming is not supported for eVA visitor accounts.

Membership of UKAMF/eduGAIN is essential since log in to the eVA portal (which enables the admins/events organisers/hosts at the organisation to use the service) is only supported through federated SSO via eduGAIN. Prospective participants should check that their SSO system can release the attributes required to the eduroamvisitoraccess SP.

See https://community.jisc.ac.uk/system/files/257/eVA%20SAML%20SSO%20Guidance.pdf

Setting up devices to connect to eduroam using eVA

To connect to eduroam using eVA, visitor devices need to be setup for eduroam. The authentication methods used are PEAP/MSCHAPv2 and EAP-PWD. Guest credendials are in the form of username (abcd@eva.ac.uk) and password. To make device setup easy, eVA has been configured in the eduroam CAT system, so users can make use of that to get their devices set up using a straightforward process - although the organisation should expect to provide some support for the occasional user who experiences difficulty. The EAP-PWD option provides a simple option for Android users since with this method only the username and password is needed and installation of the geteduroam or CAT App is not necessary.

After the guest has received their credentials (and made a note of them), the recommended process for completing device setup varies according to type of device. This is the same user experience as for mainstream eduroam users. eVA is fully supported in CAT, the CAT App and geteduroam (web sites auto-detects the client).

Ideally, ahead of the visit home broadband or other data service should be used to set up devices for eVA. Visitors who arrive on campus without their device set up, if using PEAP/MSCHAPv2 will need to use a 4G data service to acquire the App and access CAT unless a local Wi-Fi onboarding service is available. Users whose devices support EAP-PWD can use the Apps, but it is not necessary if EAP-PWD is selected and  then only the username and password need be entered.

EAP-PWD:

Devices which support EAP-PWD - users should select this method and enter the eVA guest account credentials when prompted.

PEAP/MSCHAPv2:

Windows devices - users should use the CAT web site https://cat.eduroam.org/?idp=2177 to run the installer to set up an eduroam Wi-Fi profile for eVA(UK).

Apple iOS/macOS devices - users should use the CAT web site https://cat.eduroam.org/?idp=2177 to get the mobileconfig file to set up an eduroam Wi-Fi profile for eVA(UK).

Android pre-11 user should install the eduroam CAT App and visit the cat.eduroam.org web site to get the eVA(UK) profile and use the CAT App to set up an eduroam Wi-Fi profile for eVA(UK).

Android 11 users should use the geteduroam App https://play.google.com/store/apps/details?id=app.eduroam.geteduroam which uses the CAT web site for the profile to configure the Android Wi-Fi software for eduroam for eVA(UK).

Further details about setting up devices for eVA

How to participate

eduroam Visitor Access is a chargeable add-on service to eduroam and application to participate can only be accepted from authorised senior management staff at the organisation. Participating organisations must of course have an operational eduroam service and since access to the eVA portal is only possible by using federated single sign on, the organisation must also participate in UKAMF or eduGAIN.

The Jisc web site product page is at: https://www.jisc.ac.uk/eduroam-visitor-access

To request a quotation or to place an order: https://www.jisc.ac.uk/forms/start-using-eduroam-visitor-access

#eduroam
eduroam Visitor Access
eVA
  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo