CAF – eVA for Organization Administrators

Introduction

eduroam Visitor Access Overview

eduroam Visitor Access (eVA) can be usedto create temporary eduroam accounts and assign them to your organization’s visitors. This allows visitors to use the same secure and reliable Wi-Fi network as your organization’s students, researchers, faculty, and staff. It also provides your organization with some baseline identity information from your visitors while they are using your network, avoiding the IT department and business process overhead of managing guest and temporary accounts.

As your organization’s eVA Administrator, you can create and manage all the eVA profiles and associated permissions that will be assigned to your user base. You also have access to all other eVA features[1]. eVA Organization Administrators can create and manage user profiles, whereas CERT (Computer Emergency Readiness Team) members can view, edit, and terminate all temporary eduroam accounts at your organization.

Benefits

Visitors can:

  • use the eduroam network securely and are no longer at the mercy of less secure open guest networks or other unknown Wi-Fi networks in the vicinity of the organization.
  • be provided with secure Wi-Fi connections quickly and efficiently.

Organization can:

  • allow guests to gain access with minimal administrative effort from your IT organization
  • know who is on your network and retain control of all accounts.
  • be assured that accounts are time-boxed and automatically expire at the end of the defined access period, without further intervention.
  • allow the decommissioning of all non-eduroam Wi-Fi networks at the organization, as all Wi-Fi needs can now be serviced via eduroam.

How Does it Work?

You can create accounts using the eVA online portal: https://eva.eduroam.ca


No installation required – all you need is an internet browser.


Staff at your organization will also have access to this intuitive web portal (based on profile permissions), which allows them to allocate temporary eduroam accounts to their visitors. Once an account has been created, the visitor will receive an e-mail and/or text message with their personal login credentials. The credentials automatically expire after a set a period – defined during account creation.

Key Principles

The secure, reliable eduroam network is used by students and staff in your institution using their organizational accounts. To keep the network secure and reliable, it is important that access is refused to unauthorized visitors.

As an eVA Organization Administrator, your role is to enable staff and employees of your organization (who are acting as hosts) to give visitors temporary access to eduroam. To ensure we keep eduroam secure and reliable, always apply the following principles when creating user accounts and profiles during eVA configuration and administration:

  • Your organization is responsible for the accounts created using eduroam Visitor Access. This also applies to accounts guests create themselves through the SMS Events functions.
  • Your organization is responsible for the hosting, support, and guidance of guests and the smooth operation of the network.
  • The visitor(s) must be at your organization for research or education purposes.
  • eVA accounts should only be created for the expected duration of the user’s visit.
  • Visitors should be encouraged to use the eVA eduroam CAT profile[2] to configure their devices to keep their session secure.

Functions of eVA Organization Administrators

Inviting New eVA Organization Administrators

As an eVA Organization Administrator, you can create Organization Administrator accounts for others in your organization. 

To create an Organization Administrator account:

  1. Hover your cursor over your name in the upper-right hand corner of the portal and select “Administrator Invitations”.
  1. Select “New Administrator Invitations”
  1. Enter the e-mail address of the individual you wish to make an Organization Administrator as well as the level of access that you would like to grant them.

NOTE: Organization Administrators can invite and remove other Organization Administrators. We encourage you to be selective in assigning this role to new individuals.

  • Once you click “Submit”, the invited Administrator will receive an e-mail with a link for them to access to the portal.

You will only be able to view the Organization Administrators that you invite, not those invited by other eVA Administrators at your organization.  Please contact tickets@canarie.ca if you wish to obtain a full list of your organization’s eVA Administrators.

  • If the invited Organization Administrator does not receive the e-mail, please ensure that it has not been marked as ‘Junk’ or quarantined as ‘Spam’. 
  • Further details regarding the ‘Organization CERT’ function are discussed later in this guide.

Removing an eVA Organization Administrator

You can remove an eVA Organization Administrator that you have invited by selecting “Administrator Invitations” in the upper-right hand corner of the portal and then clicking on the delete icon .

You are only able to view the Organization Administrators that you have invited. To request a full list of your organization’s eVA Administrators and/or to request to remove an Organization Administrator that does not appear their list, the Primary Technical Contact for your organization must contact CANARIE by e-mail at tickets@canarie.ca.

Creating and Managing User Profiles

For your organization’s staff to act as hosts who can create temporary eduroam visitor accounts, a profile that defines their user permissions must first be created in eVA. As an eVA Organization Administrator, user profiles are quick and easy for you to create, but it is important to think carefully about their design and access permissions. This will prevent unintentional or deliberate unauthorized use of eduroam Visitor Access.

Without profiles, users can log on to eduroam Visitor Access, but they cannot use it to create visitor accounts.  Note that this also applies to Organization Administrator accounts, so make sure to create a profile for yourself if you want the ability to create guest accounts and SMS Events.

Profile Types

eduroam Visitor Access has three profile types:

  1. Individual Profiles

Valid for one person only and are based on the user’s e-mail address.

  1. Group Profiles

Valid for several users and are based on the e-mail addresses of users that have been placed in a group. Every group has its own configuration. If several users have the same configuration, we recommend giving them a group profile rather than create several individual personal profiles.

  1. Role Profiles

Valid for groups of users with the same role. This type of role is based on the eduPersonScopedAffiliation attribute and can be either an “Employee” or “Staff”. The organization’s federated identity management system provides this attribute when the user logs on to eduroam Visitor Access.

The value of this attribute is determined by the organization’s identity management system (such as LDAP or Active Directory).

  • The values of “Employee” and “Staff” are supported in eduroam Visitor Access for the eduPersonScopedAffiliation attribute. More information about the eduPersonScopedAffiliation attribute can be found here.
  • If a user matches a role-based profile but also has a personal profile, the rights of the personal profile will apply. You can create a role-based profile with a global configuration for a large group of users and create a personal profile for an individual with a different configuration (with more rights, for example).

Rights Within a Profile

When you create a profile, you assign the user one or more of the following rights:

  • Users with this profile may add visitors
  • Users with this profile may upload batches of visitors (creation of visitor accounts through the upload of a .csv file)
  • Users with this profile may create groups (creation of groups of eVA Visitors that are not linked to an individual)
  • Users with this profile may create SMS Events (creation of time-boxed events allowing visitors access to the eduroam Wi-Fi network using an SMS keyword)
  • This is a team[3]

Only assign the Users with this profile may create groups and the Users with this profile may create SMS Events rights to a very limited group of users. These functions allow the user to create temporary eduroam accounts without knowing who will be using them. Improper use of these functions can have a significant negative impact on your organization’s networks and that of other eduroam providers.

How to Create a Profile

  1. Log on to eduroam Visitor Access at https://eva.eduroam.ca
  2. From the main menu, click Admin > Profiles and select “Create profile”.

The following screen appears:

  1. Choose one of the following options:
    • Individual Profile – personal profile based on the user’s e-mail address
    • Group Profile – group profile based on e-mail addresses of users in the group
    • Role Profile – role-based profile based on the user’s eduPersonScopedAffiliation attribute

Note: Group and Role Profiles have a new option in the permissions checklist called This is a team. We discuss this feature further below.

Email Profile Fields Descriptions


How How to Edit or Delete a Profile

To view your previously created profiles, from the main menu, click on Admin > Profiles.

  • Click to edit the profile details.
  • Click to delete the profile.
  • Click to edit or delete the e-mail addresses. This icon is only visible for group profiles.
  • If you delete a profile, the rights of the host user(s) in this profile expire, however any temporary eduroam visitor accounts that the users had previously created will remain active until the end of the validity period.

eVA Teams

When logged in as an Organization Administrator, you can now add Group and Role Profiles to a team. Team members within a particular Group or Role can manage guest accounts created by others on their team. The team feature is particularly useful for Group/Role profiles that are created to manage help desks or registration/reception desks.

To add a profile to a team, check This is a team at the bottom of the list of permissions when creating your Group/Role Profile.

Group/Role profiles can be added to more than one team as teams do not intersect — each team is an individual entity. Group/Role profile users that have been added to a team are able to see visitors created by other team members. This feature is not available when creating Individual Profiles.

Creation of 1-Day SMS Events

The 1-day SMS Event functionality allows your organization to give users a temporary self-service eduroam account for that is valid for one (1) day, using an SMS keyword.

These 1-day SMS keywords are viewable and modifiable by clicking Admin > 1-day SMS Keywords.
You have the following options:

  1. Send daily SMS code with email
  2. Click on the Keyword to view the SMS narrowcast/poster for that date
  3. Click to change the details of a 1-day SMS keyword. You can only change the maximum number of visitors that can access eduroam simultaneously using this keyword (the keyword itself cannot be changed).
  4. Click to delete a 1-day SMS keyword.

Creating a Poster to Promote 1-Day SMS Events

You can view a poster/html page for a 1-day SMS via Admin > 1-day SMS Narrowcast.

This poster updates automatically. It can be printed and displayed in strategic locations around your campus or used as an HTML page on tablets or other screen displays.

Preventing Abuse of SMS Events

The SMS Events function allows large groups of visitors to gain access to eduroam simultaneously without any administrative burden for your organization. However, given that the identity of those who are given access is unknown, the risk of unauthorized use is increased.

Since SMS-served accounts are self-service, there is no record of the identity of the visitor who is given access to an eduroam Visitor Access account and if a keyword is distributed on a large scale, there is increased risk of unauthorized use.

To reduce the risk of unauthorized use, please follow these recommendations for SMS Events:

DO distribute the keyword (in combination with the date and phone number) using one or more of the following methods:

  • print the keyword on visitor badges
  • provide it on a business card
  • include it in one of the presenters’ slides
  • post it on the intranet for employees
  • embed it in a narrowcast system
  • show it on screens or cards near a desk / reception area that your visitors will walk past

DO NOT distribute the keyword using any of these methods:

  • on social media posts (e.g., via Twitter)
  • in newsletters
  • on public websites or in other (physical or virtual) places where the keyword can be seen by people not entitled to eduroam access

“All Visitors” Overview 

eVA Organization Administrators can view all visitor accounts for their own organization; however, editing and deleting visitor accounts can only be done by CERT members or by the users that created the visitor accounts.

In the main menu, click on Admin > All visitors to view an overview of all visitor accounts (including “Future”, “Active”, “Ended” and “Expired” accounts).

Functions of Computer Emergency Readiness Team (CERT) Members

CERT members can view, edit, and terminate all the visitor accounts for their own organization.

Viewing, Editing and Deleting Visitor Accounts

In the main menu, click on CERT > All Visitors

You have the following options:

  • Search for accounts
  • Edit account (click on the link in the “Visitor ID” column)
  • Click  to delete an account

Viewing & Editing User Profiles

CERT users can also edit user profiles and in the event of incidents or other disasters, they can adjust the profile parameters to prevent unauthorized use.

In the main menu, click CERT > All Profiles

You have the following options:

  • Search for profiles
  • Edit profiles (click on the link in the “Profile Name” column)
  • Click  to delete an account

Recommended eVA User Profiles and Permission Sets

As an eVA Organization Administrator, you have discretion in setting the user profiles for your organization. To ease the process of creating and managing group accounts and SMS Events[4], you may wish to provide these richer permission sets to a limited number of “Super Users”, while allowing regular staff and employees the ability to create a small number of individual accounts for a constrained timeframe.

An example profile configuration could be as follows:

  • Assign the privilege to create groups and SMS event to a very limited group of users. These functions allow the user to create temporary eduroam accounts without knowing who will be using them. Improper use of these functions can compromise the security of your organization’s Wi-Fi network.

Support for eVA Organization Administrators

You are the point of contact for all support of eVA users at your organization. However, should you require additional support or have any questions, you can contact CANARIE by e-mail at tickets@canarie.ca.


[1] Group, batch and regular SMS Event functions are described in the document titled “User Guide: eduroam Visitor Access (eVA) for Super Users”.  Individual account creation is described in the document titled “User Guide: eduroam Visitor Access (eVA) for Standard Users”.

[2] The link to the CAT profile for eVA can be found in the ‘eVA Instructions for Visitors’ section on the CANARIE website, here: https://www.canarie.ca/identity/support/eva-instructions-for-visitors

[3] This option only available for Group and Role profiles

[4] Not including 1-day SMS which can only be created/managed by eVA Organization Administrators