This document is due for an update

Audience: this document is relevant to eduroam system administrators only.

What is eduroam CAT?

eduroam CAT stands for Configuration Assistance Tool. It allows eduroam Home service providers (IdPs) to create installer executables which generate pre-defined configuration profiles for a range of supplicants. This allows the organisation to provide users with a means to ensure a standardised setup of their devices and assurance that the configuration will work most effectively with eduroam.   It greatly simplifies the process of setting up eduroam for users.

Individuals visiting the CAT web site can select their organisation and be presented with the range of appropriate installers. Organisations can either point their users towards this site or they can download the installers and embed these into their own eduroam Service Information web page/device setup instructions pages. (This removes dependence on an outsite web service).

eduroam CAT is FREE.

Who operates the CAT service?

The eduroam CAT configuration tool was developed as part of the Geant3 eduroam project and is delivered through the European eduroam Operations team.

eduroam(UK) is the Jisc service that delivers eduroam in the UK and that operates the National Proxies and the Support server which underpins configuration of the national service. CAT is not an eduroam(UK)/Jisc service, however in order to use CAT, service administrators must be nominated by eduroam(UK) as the UK NREN.

How to access the CAT service - prerequisites

CAT is only available to partipating organisations which have asserted that they provide an operational Home service which complies with the Technical Specification requirements. Your assertion is made through the eduroam(UK) Support web site and you can do this within the purple 'Organisation settings' panel on your main configuration page. You will need to assert both your compliance/service type (Not available (working towards), Home-only, Visited-only or Home and Visited) and your service deployment level (Deployment complete). In order to perform administrator functions within CAT, you will need to be a validated contact for the organisation and nominated by eduroam(UK) and an account setup invitation 'known person' token has to be sent to you to enable your account setup to be completed.

How to access the CAT service - getting an account/requesting an access token

To get a token, an eduroam(UK) Support server account user can request a CAT account invitation by simply clicking on the [eduroam CAT 'Join'] button in the purple 'Organisation settings' panel on the Configure page for your organisation on eduroam(UK) Support server. This is a 'one time' operation..once a token is claimed you cannot ask for another (to stop a flood of SPAMmy requests if there is an issue). Note that the invitation will be sent to the ‘primary admin’ registered on eduroam(UK) Support. (Once an admin account is set up on CAT, then that admin can dreate further accounts on CAT should you have multiple staff requiring to perform CAT admin functions.)

The CAT invitation token that is e-mailed to you lasts for 24 hours...so please only request when you know you are going to be using it when it arrives - and since there is a manual process at our end please make your request early on a work-day morning to ensure it is actioned. The token will be sent to you since all of the eduroam(UK) admins are registered in the European eduroam database (if you are newly added to Support server you may not appear in the European database for 24 hours).

Once the token has arrived you simply follow the link. Geant recommends federated access and facilitates this via eduGAIN. The UK Access Management Federation has now joined eduGAIN, so you could use your UK federated access credentials if you have them (*). As an alternative you can use any social network credentials you have to log in (Facebook, Google, Twitter, LinkedIn). This account is just to glue an authenticated access method with the 'known person token'. (*) In order to use eduGAIN your organisation will need to set up the relevant SAML attributes etc for access. We will provide details when linked/known.

If you need further admin accounts on CAT, for instance in order to be able to administer a sub-realm used exclusively by an associated collegiate entity, you can request this through eduroam(UK) technical support in the normal way (via JSD).

Forgotten your CAT account details/CAT account stopped working/need fresh CAT account token?

You can reset the CAT request button if required simply by clicking on [eduroam CAT 'Requested']. A dialogue box appears and you can click on [Reset]. Bacl on the COnfigure page, the [eduroam CAT] button will have changed to [eduroam CAT 'Join']. Clicking this again results in the dialogue popup and you can then email us for a fresh token. 

Using the Service

Using eduroam CAT is totally web-based. You do not need any Linux server expertise at all. Go to https://cat.eduroam.org and select 'eduroam admin manage your IdP' from the left hand menu.

eduroam CAT mandates certain security features (use of a certificate chain and checking thereof) and generally simplifies and helps to secure the eduroam experience.  You input information such as the realm, outer ID (e.g. anonymous@your-realm.ac.uk), preferred EAP types, name of RADIUS servers, certificate chain, support options (your service desk email, phone number etc) and in return you get a series of downloads which you can either host locally on your eduroam setup help page or you can direct your users to on the eduroam CAT website.

Note. Full functionality of the CAT system will not be available to you until after you have marked your eduroam deployment 'complete' (ie operational) on the eduroam(UK) Support server.

Using the tool in practice - end user perspective

CAT can for part of your 'on-boarding' solution in a number of scenarios. You could simply direct users to the CAT web site and there's an example of what they'd see below. Alternatively we would recommend you to download the installers and deploy these in your own on-boarding solution, e.g. by posting to your eduroam infroamtion user setup guidance page, private intranet or other distribution medium. This enables you to maintain complete control over the on-boarding process and means you manage non-availability risks, ie you won't be dependent on an external resource.

Here's a screenshot of the typical profile page users see once they have selected their organisation (in this case Loughborough University) from the drop down list on https://cat.eduroam.org:

What Supplicants are supported?

The following supplicants are supported:

Microsoft Windows Vista, 7, 8, 8.1 and 10

Apple Mac OS X Lion (10.7) and Mountain Lion (10.8) Mavericks (10.9) Yosemite (10.10) El Capitan (10.11) Sierra (10.12) High Sierra (10.13) Mojave (10.14)

Apple iOS (iPod, iPhone, iPad etc) 5, 6, 7-11

SecureW2 (EAP-TTLS)

Linux - wpa_supplicant and GUI tools such as NetworkManager and KNetworkManager

Android (support introduced with CAT release 1.1) 4.3 KitKat (4.4) Lollipop (5.0) Marshmallow (6.0) Nougat (7.0) Oreo (8.0) Pie (9.0) Q (10.0)

[Nb. Android support was hitherto problematic as there wasn't a way to push the required settings to the client device using technologies built into the base OS (other solutions such as Cloudpath require the user to download and install a separate client to provide that interface).]

Other features

CAT 1.1 (released April 2015) introduced a number of really good features including support for Hotspot 2.0 / Passpoint, Wired ethernet configuration, Removal of onboarding SSIDs, Removal of eduroam-TKIP profiles on Windows, The media tab, Realm Checks, Support for Android 4.3+, Redirection targets for unsupported devices. For full details, see What's news in CAT 1.1

It is worth noting that CAT includes the capability for you to add free text messages for the user for either specific EAP types or specific devices. This text is displayed on the user download page before the download begins. Uses for this text includes: reminding users that by using eduroam they are accepting the eduroam(UK) Policy (and others that might apply), or stipulating that users must remove the profile when they leave the organisation and for conference users that the service will only work on your campus and will be disabled after the conference. If you use EAP-TLS you could say which secretariat users turn to to get the client certificate for EAP-TLS. For these options, the Fine-Tuning page has extra buttons.

CAT also allows you to create multiple user group profiles for one institution with tailored installers for the different groups. Shared properties can be defined institution-wide (e.g. server certificates and helpdesk contacts) which makes them immediately available in all profiles and per-profile properties and be defined for the specific profile (e.g. account expiry notification for conference delegates or specific EAP methods available only to the particular group).

CAT and Windows XP SP3

The Windows XP SP3 API for network configuration is not rich enough for an external installer to be able to configure all EAP properties automatically for the built-in EAP types, i.e. PEAP. However it does allow support of EAP-TTLS so for XP SP3 the options if your RADIUS server supports EAP-TTLS/PAP is to use this method for these clients. Select EAP-TTLS/PAP in CAT and a downloadable installer for Windows XP will be created using Secure W2.

If you want to support PEAP/MSCHAPv2 on Windows XP SP3 you can either provide your users with detailed step-by-step instructions for manual configuration or  use SU1X (our recommended solution). With SU1X, in simple terms, you set up a correctly configured machine and then use the capture tool to create an XML file, profile.xml, from the configuration settings. This is subsequently distributed with the client setup utility to recreate correct configurations on end-user devices.

XP of course has a limited life expectancy - April 2014 is Microsoft's final end-of-support-of-XP date.

Where to go for support on CAT issues

Development of eduroam CAT was commissioned by TERENA. eduroam(UK) has been involved only as a beta tester and ideas/feedback group. eduroam(UK) has not written the code nor do we have access to the site. Issues with eduroam CAT need to be taken to the eduroam CAT team - either the CAT users mailing list for user-centric operational/usage issues or the CAT devel list for development matters (patches etc).

Issues with eduroam CAT token, getting token or using it (ie getting onto the working eduroam CAT admin page) - eduroam(UK) needs to be contacted in the first instance

Issues with using eduroam CAT, web page errors, incorrect profiles etc - eduroam CAT need to be contacted (relevant part depends on issue). Use the 'Report a problem' menu item on the left hand panel on the CAT page https://cat.eduroam.org/

You should also join the Geant CAT administrator users mailing list subscribe here

cat-users@lists.geant.org  It is recommended you join the list first https://lists.geant.org/sympa/subscribe/cat-users