This page updated 26/08/2022 - further updates are due.

Audience: this document is relevant to eduroam system administrators only.

What is eduroam CAT?

eduroam CAT stands for Configuration Assistance Tool. It allows eduroam Home service providers (IdPs) to create installer executables which generate pre-defined configuration profiles for a range of supplicants. This allows the organisation to provide users with a means to ensure a standardised setup of their devices and assurance that the configuration will work most effectively with eduroam.   It greatly simplifies the process of setting up eduroam for users.

Individuals visiting the CAT web site can select their organisation and be presented with the range of appropriate installers. Organisations can either point their users towards this site or they can download the installers and embed these into their own eduroam Service Information web page/device setup instructions pages. (This removes dependence on an outsite web service).

eduroam CAT is FREE.

Governance and Code Quality

CAT development is funded by a series of projects in the European Commission's Framework programmes since over a decade (spanning 'Framework Programme 7', 'Horizon Europe' and already confirmed for the upcoming 'Horizon' programme). It is an integral part of the funding for the roaming consortium 'eduroam', with the aim to enable and facilitate global federated Wi-Fi roaming with enterprise-grade security.

For further information about code quality, design and quality assurance, please see the Governance statement on Github CAT/Governance and Code Quality Manifesto

Who operates the CAT service?

The eduroam CAT configuration tool was developed as part of the Geant3 eduroam project and is delivered through the European eduroam Operations team.

eduroam(UK) is the Jisc service that delivers eduroam in the UK and that operates the National Proxies and the Support server which underpins configuration of the national service. CAT is not an eduroam(UK)/Jisc service, however in order to use CAT, service administrators must be nominated by eduroam(UK) as the UK NREN.

How to access the CAT service - prerequisites

CAT is only available to partipating organisations which are asserting Home-and-Visited or Home-only services. Access used to be restricted to those which were asserting operational compliance with the Technical Specification i.e. 'Service deployment' = 'Deployment complete'.  However we now permit organisations that are working towards deployment to use CAT, since having a user device setup automation tool in place at service launch is now such an important part of your overall eduroam service. You make your service deployment assertion through the eduroam(UK) Support web site via the purple 'Organisation settings' panel on your main configuration page. You will also find the eduroam CAT [Join] button on that purple 'Organisation settings' panel. 

Set up of the CAT admin account is authorised by eduroam(UK) and you will need to be a validated contact for your organisation, normally a sys admin user of the Support portal. It is helpful if your organisation is a member of the UKAMF - this enables you to use federated access/single sign on to log in to CAT. But you can use other identity provider mechanisms such as a social media account once you have received the account setup invitation 'known person' token afer eduroam(UK) authorisation of your account setup.

How to access the CAT service - getting an account/requesting an access token

To get a token, an eduroam(UK) Support server account user can request a CAT account invitation by simply clicking on the [eduroam CAT 'Join'] button in the purple 'Organisation settings' panel on the Configure page for your organisation on eduroam(UK) Support server. This is a 'one time' operation..once a token is claimed you cannot ask for another (to stop a flood of SPAMmy requests if there is an issue). Note that the invitation will be sent to the ‘primary admin’ registered on eduroam(UK) Support. (Once an admin account is set up on CAT, then that admin can dreate further accounts on CAT should you have multiple staff requiring to perform CAT admin functions.)

The CAT invitation token that is e-mailed to you lasts for 24 hours...so please only request when you know you are going to be using it when it arrives - and since there is a manual process at our end please make your request early on a work-day morning to ensure it is actioned. The token will be sent to you since all of the eduroam(UK) admins are registered in the European eduroam database (if you are newly added to Support server you may not appear in the European database for 24 hours).

Once the token has arrived you simply follow the link. Geant recommends federated access and facilitates this via eduGAIN. The UK Access Management Federation has now joined eduGAIN, so you could use your UK federated access credentials if you have them (*). As an alternative you can use any social network credentials you have to log in (Facebook, Google, Twitter, LinkedIn). This account is just to glue an authenticated access method with the 'known person token'. (*) In order to use eduGAIN your organisation will need to set up the relevant SAML attributes etc for access. We will provide details when linked/known.

Additional CAT admin accounts for your organisation

If your organisation needs further admin accounts on CAT - for instance if you have multiple sys admins, to replace a leaver or even should administration of a sub-realm used exclusively by an associated collegiate entity be required a) an existing CAT Admin can create a new account or b) you can request this through eduroam(UK) technical support in the normal way via JSD. Note that admin accounts created by existing organisational admins do not inherit the permission to add additional admin users themselves.

Forgotten your CAT account details/CAT account stopped working/need fresh CAT account token?

You can reset the CAT request button if required simply by clicking on [eduroam CAT 'Requested']. A dialogue box appears and you can click on [Reset]. Bacl on the COnfigure page, the [eduroam CAT] button will have changed to [eduroam CAT 'Join']. Clicking this again results in the dialogue popup and you can then email us for a fresh token. 

Using the Service

Using eduroam CAT is totally web-based. You do not need any Linux server expertise at all. Go to https://cat.eduroam.org and select 'eduroam admin manage your IdP' from the left hand menu.

eduroam CAT mandates certain security features (use of a certificate chain and checking thereof) and generally simplifies and helps to secure the eduroam experience.  You input information such as the realm, outer ID (e.g. anonymous@your-realm.ac.uk), preferred EAP types, name of RADIUS servers, certificate chain, support options (your service desk email, phone number etc) and in return you get a series of downloads which you can either host locally on your eduroam setup help page or you can direct your users to on the eduroam CAT website.

Note. Full functionality of the CAT system will not be available to you until after you have marked your eduroam deployment 'complete' (ie operational) on the eduroam(UK) Support server.

A few screen shots and hints: https://community.jisc.ac.uk/library/network-and-technology-service-docs/using-eduroam-support-site-connecting-nrps-user-boarding Pages 38 - 48

CAT admins manual: https://wiki.geant.org/display/H2eduroam/A+guide+to+eduroam+CAT+for+IdP+administrators

Certificates to upload:  https://community.jisc.ac.uk/library/network-and-technology-service-docs/certificates-eduroam   and *the table*

Quick Guide – for CAT admins

• Apart from editing the ‘general Identity Provider details for your institution, to get started you need to create a profile.
• At the bottom of your institution ‘Identity Provider Overview’ admin page you’ll find the Profiles section. For your first time visit this will state: ‘There are not yet any profiles for your Identity Provider’
• So, click on the [Add new RADIUS/EAP profile] button. You will get a page full of options / data you can populate.

--

(Nb Once you have created an organisation EAP profile the following will also apply on future return visits to the CAT)

• In the ‘General Profile properties’ panel you’ll see the message: ‘We will now define a profile for your user group(s). You can add as many profiles as you like by choosing the appropriate button on the end of the page. After we are done, the wizard is finished and you will be taken to the main IdP administration page.’
• Fill in the various fields as you wish, there is descriptive text for the options. It is recommended you refer to the admin manual as well.
• Nb. It is strongly recommended that under the [Add new option] button you populate the Realm: field - this helps with testing
• At the present time, due to issues with some Android 11 implementations, you should ensure that the ‘Enable Anonymous Outer Identity:’ box is NOT ticked.

(General Profile properties, Realm Options, Outer Identity Handling)

• Next, in the ‘Supported EAP types’ panel - you need to specify what EAP types you support. Drag and drop the EAP types in the red area into the green ‘Supported EAP types for this profile’ area

--

• The Helpdesk Details for this profile panel details can be completed if you wish.
• Note the ‘Terms of Use’ option to upload your network access T&Cs/AUP file

--

• The ‘EAP Details for this profile’ panel contains the extremely important server certificate information.
• Upload the Root CA Certificate of your server certificate. (Note you can upload multiple CA roots if you have a mixture on your ORPS).
• We recommend that you also upload the Intermediate CA certificate(s) (except if your CA doesn’t use intermediate CAs) (*)
• In the ‘Name (CN) of Authentication Server’ field, enter the CN and SubjectAltName:DNS name on your RADIUS server certificate. Use the single name that is common to both fields in cases where you have used multiple SAN:DNS names. If you have opted to use non-cloned certificates on multiple ORPSs, you can create multiple CN name entries.

(*) If your RADIUS server includes the Inter CA cert when it sends its server cert during the authentication process, uploading the inter CA cert is not strictly necessary, however to err on the safe side, we recommend that you include the inter CA cert in your profile.

--

• The ‘Media Properties for this profile’ panel contains optional settings

--

• Click on the [Save data] button at the bottom of the page.

--

• IMPORTANT - when you are happy with the profile, you need to go to the ‘General Profile properties’ panel and tick the [Production-Ready] box.

You can test your RADIUS server/CAT profile by using the realm reachability tests on the CAT site.

Using the tool in practice - end user perspective

CAT can for part of your 'on-boarding' solution in a number of scenarios. You could simply direct users to the CAT web site and there's an example of what they'd see below. Alternatively we would recommend you to download the installers and deploy these in your own on-boarding solution, e.g. by posting to your eduroam infroamtion user setup guidance page, private intranet or other distribution medium. This enables you to maintain complete control over the on-boarding process and means you manage non-availability risks, ie you won't be dependent on an external resource.

Here's a screenshot of the typical profile page users see once they have selected their organisation (in this case Loughborough University) from the drop down list on https://cat.eduroam.org:

What Supplicants are supported?

The following supplicants are supported:

Microsoft Windows Vista, 7, 8, 8.1 and 10

Apple Mac OS X Lion (10.7) and Mountain Lion (10.8) Mavericks (10.9) Yosemite (10.10) El Capitan (10.11) Sierra (10.12) High Sierra (10.13) Mojave (10.14)

Apple iOS (iPod, iPhone, iPad etc) 5, 6, 7-11

SecureW2 (EAP-TTLS)

Linux - wpa_supplicant and GUI tools such as NetworkManager and KNetworkManager

Android (support introduced with CAT release 1.1) 4.3 KitKat (4.4) Lollipop (5.0) Marshmallow (6.0) Nougat (7.0) Oreo (8.0) Pie (9.0) Q (10.0)

[Nb. Android support was hitherto problematic as there wasn't a way to push the required settings to the client device using technologies built into the base OS (other solutions such as Cloudpath require the user to download and install a separate client to provide that interface).]

Other features

CAT 1.1 (released April 2015) introduced a number of really good features including support for Hotspot 2.0 / Passpoint, Wired ethernet configuration, Removal of onboarding SSIDs, Removal of eduroam-TKIP profiles on Windows, The media tab, Realm Checks, Support for Android 4.3+, Redirection targets for unsupported devices. For full details, see What's news in CAT 1.1

It is worth noting that CAT includes the capability for you to add free text messages for the user for either specific EAP types or specific devices. This text is displayed on the user download page before the download begins. Uses for this text includes: reminding users that by using eduroam they are accepting the eduroam(UK) Policy (and others that might apply), or stipulating that users must remove the profile when they leave the organisation and for conference users that the service will only work on your campus and will be disabled after the conference. If you use EAP-TLS you could say which secretariat users turn to to get the client certificate for EAP-TLS. For these options, the Fine-Tuning page has extra buttons.

CAT also allows you to create multiple user group profiles for one institution with tailored installers for the different groups. Shared properties can be defined institution-wide (e.g. server certificates and helpdesk contacts) which makes them immediately available in all profiles and per-profile properties and be defined for the specific profile (e.g. account expiry notification for conference delegates or specific EAP methods available only to the particular group).

For full instructions on using the service, refer to the official documentation at:

Geant wiki - Guide to eduroam CAT for Organisation IdP Administrators

CAT and Windows XP SP3

The Windows XP SP3 API for network configuration is not rich enough for an external installer to be able to configure all EAP properties automatically for the built-in EAP types, i.e. PEAP. However it does allow support of EAP-TTLS so for XP SP3 the options if your RADIUS server supports EAP-TTLS/PAP is to use this method for these clients. Select EAP-TTLS/PAP in CAT and a downloadable installer for Windows XP will be created using Secure W2.

If you want to support PEAP/MSCHAPv2 on Windows XP SP3 you can either provide your users with detailed step-by-step instructions for manual configuration or  use SU1X (our recommended solution). With SU1X, in simple terms, you set up a correctly configured machine and then use the capture tool to create an XML file, profile.xml, from the configuration settings. This is subsequently distributed with the client setup utility to recreate correct configurations on end-user devices.

XP of course has a limited life expectancy - April 2014 is Microsoft's final end-of-support-of-XP date.

Where to go for support on CAT issues

Development of eduroam CAT was commissioned by TERENA. eduroam(UK) has been involved only as a beta tester and ideas/feedback group. eduroam(UK) has not written the code nor do we have access to the site. Issues with eduroam CAT need to be taken to the eduroam CAT team - either the CAT users mailing list for user-centric operational/usage issues or the CAT devel list for development matters (patches etc).

Issues with eduroam CAT token, getting token or using it (ie getting onto the working eduroam CAT admin page) - eduroam(UK) needs to be contacted in the first instance

Issues with using eduroam CAT, web page errors, incorrect profiles etc - eduroam CAT need to be contacted (relevant part depends on issue). Use the 'Report a problem' menu item on the left hand panel on the CAT page https://cat.eduroam.org/

You should also join the Geant CAT administrator users mailing list subscribe here

cat-users@lists.geant.org  It is recommended you join the list first https://lists.geant.org/sympa/subscribe/cat-users

If you find any errors or omissions, wish to add content or have any comments on this page, please e-mail eduroamuk@jisc.ac.uk