CAF – eduroam Provisioning Considerations

Mass Device Configuration with eduroam Configuration Assistant Tool (CAT)

Whether you have only a few users or thousands, we recommend using the Configuration Assistant Tool (CAT). This highly flexible tool supports all major devices and will help deploy your wireless profiles to your population at large.  For more on eduroam CAT please see visit

Your institution’s Primary Technical Contact (PTC) will have been provided Administrator access to the site. If you have any questions or concerns, contact [email protected].

Enabling Self-Serve eduroam Installations

Not all users are prepared for eduroam when they want to get online.  One way to assist these users is to offer a limited access ‘eduroam_help’ SSID that only permits visits to your site and/or to fetch installers and instructions and other minimal access required.

Offering a shared ‘guest’ account to attempt this on the eduroam SSID is strongly discouraged. It defeats the purpose of eduroam and creates enormous support issues as end users will then struggle to delete a ‘remembered’ Wi-Fi sign-on.

Enhanced Protection of Personally Identifiable Information

eduroam leverages RADIUS’s ability to use an anonymized outer identity in order to mask Personally Identifiable Information (PII) from being used during the routing of the TLS/SSL connection.  For example, an individual’s network ID may be [email protected] but the federation level RADIUS server only needs to know about what domain the user belongs to for proper routing. Content before the ‘@’ sign should be the unique anonymous id that has been provided to your institution’s Primary Technical Contact by CANARIE.

The anonymous identity feature is a simple checkbox in the eduroam CAT installer (chosen by the site Administrator). When enabled, it will automatically anonymize users when using the eduroam CAT profiles. If you are using NPS, please reference further implementation instructions here.