eduroam CAT (Configuration Assistance Tool)

Download as PDFDownload as PDF

Audience: this document is relevant to eduroam system administrators only.

What is eduroam CAT?

eduroam CAT stands for Configuration Assistance Tool. It allows eduroam Home service providers (IdPs) to create installer executables which generate pre-defined configuration profiles for a range of supplicants. This allows the organisation to provide users with a means to ensure a standardised setup of their devices and assurance that the configuration will work most effectively with eduroam.   It greatly simplifies the process of setting up eduroam for users.

Individuals visiting the CAT web site can select their organisation and be presented with the range of appropriate installers. Organisations can either point their users towards this site or they can download the installers and embed these into their own eduroam Service Information web page/device setup instructions pages. (This removes dependence on an outsite web service).

eduroam CAT is FREE.

Who operates the CAT service?

The eduroam CAT configuration tool was developed as part of the Geant3 eduroam project and is delivered through the European eduroam Operations team.

eduroam(UK) is the Janet service that delivers eduroam in the UK and that operates the National Proxies and the Support server which underpins configuration of national service. CAT is not a Janet service, however service administrators must be nominated by the relevant NREN, for the UK all organisational account queries have to go via eduroam(UK) Support.

How to access the service

The service is only available to partipating organisations which have asserted that they provide an operational Home service which complies with the Technical Specification requirements. Your assertion is made through the eduroam(UK) Support web site, on your main configuration page. You will need to assert both your compliance type (Home-only, Home and working towards Visited or Home and Visited) and your service level (operational status). In order to access the eduroam CAT Administrators section you need to be a validated contact for the organisation - this is done via federated access and a 'known person' token.

Getting an access token

To get a token UK sys admins can send a request by simply using the [eduroam CAT invite] button in the eduroam CAT invite panel on the main configuration page for your site on the eduroam(UK) Support server. This is a 'one time' operation..once a token is claimed you cannot ask for another (to stop a flood of SPAMmy requests if there is an issue) - we can reset that request if required though.  The token lasts for 24 hours...so please only request when you know you are going to be using it when it arrives - and since there is a manual process at our end please make your request early on a work-day morning to ensure it is actioned. The token will be sent to the primary e-mail contact address for the organisation.

Once the token has arrived you simply follow the link. TERENA and eduroam Europe are very keen on federated access via eduGAIN. The UK Access Management Federation has now joined eduGAIN, so you could use your federated access credentials if you have them (*). As an alternative you can use any social network credentials you have to log in (Facebook, Google, Twitter, LinkedIn). This account is just to glue an authenticated access method with the 'known person token'. (*) In order to use eduGAIN your organisation will need to set up the relevant SAML attributes etc for access. We will provide details when linked/known.

If you need further admin accounts on CAT, for instance in order to be able to administer a sub-realm used exclusively by an associated collegiate entity, you can request this through eduroam(UK) technical support in the normal way (via JSD).

Using the Service

Using eduroam CAT is totally web-based. You do not need any Linux server expertise at all. Go to https://cat.eduroam.org and select 'eduroam admin manage your IdP' from the left hand menu.

eduroam CAT mandates certain security features (use of a certificate chain and checking thereof) and generally simplifies and helps to secure the eduroam experience.  You input information such as the realm, outer ID (e.g. anonymous@your-realm.ac.uk), preferred EAP types, name of RADIUS servers, certificate chain, support options (your service desk email, phone number etc) and in return you get a series of downloads which you can either host locally on your eduroam setup help page or you can direct your users to on the eduroam CAT website.

Using the tool in practice - end user perspective

CAT can for part of your 'on-boarding' solution in a number of scenarios. You could simply direct users to the CAT web site and there's an example of what they'd see below. Alternatively we would recommend you to download the installers and deploy these in your own on-boarding solution, e.g. by posting to your eduroam infroamtion user setup guidance page, private intranet or other distribution medium. This enables you to maintain complete control over the on-boarding process and means you manage non-availability risks, ie you won't be dependent on an external resource.

Here's a screenshot of the typical profile page users see once they have selected their organisation (in this case Loughborough University) from the drop down list on https://cat.eduroam.org:

What Supplicants are supported?

The following supplicants are supported:

Microsoft Windows XP SP3, Vista, 7 and 8

SecureW2 (EAP-TTLS)

wpa_supplicant and GUI tools such as NetworkManager and KNetworkManager (linux)

Apple Mac OS X Lion (10.7) and Mountain Lion (10.8) and Apple iOS devices (iPod, iPhone, iPad etc)

Android (support introduced with CAT release 1.1) 

[Nb. Android support was hitherto problematic as there wasn't a way to push the required settings to the client device using technologies built into the base OS (other solutions such as Cloudpath require the user to download and install a separate client to provide that interface).]

Other features

CAT 1.1 (released April 2015) introduced a number of really good features including support for Hotspot 2.0 / Passpoint, Wired ethernet configuration, Removal of onboarding SSIDs, Removal of eduroam-TKIP profiles on Windows, The media tab, Realm Checks, Support for Android 4.3+, Redirection targets for unsupported devices. For full details, see What's news in CAT 1.1

It is worth noting that CAT includes the capability for you to add free text messages for the user for either specific EAP types or specific devices. This text is displayed on the user download page before the download begins. Uses for this text includes: reminding users that by using eduroam they are accepting the eduroam(UK) Policy (and others that might apply), or stipulating that users must remove the profile when they leave the organisation and for conference users that the service will only work on your campus and will be disabled after the conference. If you use EAP-TLS you could say which secretariat users turn to to get the client certificate for EAP-TLS. For these options, the Fine-Tuning page has extra buttons.

CAT also allows you to create multiple user group profiles for one institution with tailored installers for the different groups. Shared properties can be defined institution-wide (e.g. server certificates and helpdesk contacts) which makes them immediately available in all profiles and per-profile properties and be defined for the specific profile (e.g. account expiry notification for conference delegates or specific EAP methods available only to the particular group).

For full instructions on using the service, refer to the official documentation at:
The TERENA confluence wiki - Guide to eduroam CAT for Organisation Administrators

CAT and Windows XP SP3

The Windows XP SP3 API for network configuration is not rich enough for an external installer to be able to configure all EAP properties automatically for the built-in EAP types, i.e. PEAP. However it does allow support of EAP-TTLS so for XP SP3 the options if your RADIUS server supports EAP-TTLS/PAP is to use this method for these clients. Select EAP-TTLS/PAP in CAT and a downloadable installer for Windows XP will be created using Secure W2.

If you want to support PEAP/MSCHAPv2 on Windows XP SP3 you can either provide your users with detailed step-by-step instructions for manual configuration or  use SU1X (our recommended solution). With SU1X, in simple terms, you set up a correctly configured machine and then use the capture tool to create an XML file, profile.xml, from the configuration settings. This is subsequently distributed with the client setup utility to recreate correct configurations on end-user devices.

XP of course has a limited life expectancy - April 2014 is Microsoft's final end-of-support-of-XP date.

Where to go for support on CAT issues

Development of eduroam CAT was commissioned by TERENA. eduroam(UK) has been involved only as a beta tester and ideas/feedback group. eduroam(UK) has not written the code nor do we have access to the site. Issues with eduroam CAT need to be taken to the eduroam CAT team - either the CAT users mailing list for user-centric operational/usage issues or the CAT devel list for development matters (patches etc).

Issues with eduroam CAT token, getting token or using it (ie getting onto the working eduroam CAT admin page) - eduroam(UK) needs to be contacted in the first instance

Issues with using eduroam CAT, web page errors, incorrect profiles etc - eduroam CAT need to be contacted (relevant part depends on issue). Use the 'Report a problem' menu item on the left hand panel on the CAT page https://cat.eduroam.org/

You should also join the Geant CAT administrator users mailing list subscribe here