eduroam CAT for IdP Administrators

eduroam CAT: Purpose and scope

There is also a lightweight download page for resource-constrained mobile devices.

2. Enrolling your organization for eduroam CAT

3. Enrolling your organization’s properties

To the largest extent possible, all the information is optional. If you choose not to provide all the requested details, the tool will still create an installer. For best results, please provide as much detail as possible.

There are two governing principles regarding input and storage of information in the administrator user interface:

1. Textual information is offered in several languages; however, values should always be set for the “default/other languages” option. This should align with the primary language used for your communications to your community. You can then choose alternative language(s) to provide multi-lingual options.

2. An organization may use one or more EAP profiles, each having its own EAP-specific settings (e.g., an organization that has both student and staff accounts with different EAP types being supported). Many options in eduroam CAT can either be set for the entire organization or for a specific profile.

Note: If a setting is set on both levels, the more specific profile-level setting will override that which is organization-wide.

When you re-visit the “Edit IdP” page later from the Organization Overview page, the explanatory texts are condensed so as not to overload the user interface.

You can configure three of the four areas mentioned above on this first page. The RADIUS and EAP settings are configured at a later stage in the Profile configuration section.

3.2.1 General Information

This section sets your institution-wide properties, including uploading your organization’s logo and ensuring your organization’s name is correct.

3.2.2 Helpdesk Contact Details

The helpdesk contact details set here will serve as your default helpdesk and apply to any profiles that do not have these details already set.

3.2.3 Media Properties

You can configure all media properties of your eduroam setup in this section.

The SSID “eduroam” for WPA2/AES is always configured as it is the core of the eduroam specification – you do not need to enter it here.

Note: Previous versions of eduroam CAT also installed a WPA/TKIP profile. Since these are now obsolete, current CAT installers will remove this profile during installation.

The list of things you can additionally configure in “Media” are:

Additional SSID for WPA2/AES

If you deploy other SSIDs for which eduroam credentials are valid, you can add these here and they will be configured alongside the eduroam SSID.

This attribute can be set if you want to configure an another SSID in addition to the default SSIDs for eduroam. We strongly recommend only using the default SSIDs. The only exception is if you have premises with a radio signal that overlaps with another eduroam hotspot.

Typical misconceptions about additional SSIDs include the sentiment “I want to have a local SSID for my own users…” In fact, it is preferable to use the default SSID and separate user groups with VLANs. This approach has two advantages:

1. Your users will configure eduroam properly because it is their everyday SSID.

2. If you use a custom name and advertise it as extra secure, your users might at some point roam to another location that happens to have the same SSID name. They might then believe incorrectly that they are connecting to an extra secure network while they are, in fact, not.

Additional own Hotspot 2.0 / Passpoint Consortium OI

If you want to enable Passpoint and have a Consortium Organization Identifier, you can enter it here. The Consortium OI for eduroam is 001BC50460. We do not currently enable this Consortium OI by default. On the end-user device side, settings made for Passpoint will currently only benefit the most recent Apple devices (iOS 7+ and recent-enough hardware, recent Mac OS X).

Whether or not to configure wired ethernet for IEEE 802.1X

Some eduroam participants also use IEEE 802.1X for wired ethernet ports on their premises (e.g., in dormitories). Administrators can specify that the installers should include wired ethernet eduroam configuration on the client devices. This is currently supported for the Windows installers and Apple OS X. Windows installers will provoke a UAC prompt when wired support is turned on.

Note: Wired ethernet is configured in addition to the eduroam wireless service, therefore profiles that are intended for wired use should also meet the same configuration standards as those that are wireless.

Disable captive portal SSIDs after setting up eduroam

Many eduroam participants deploy several SSIDs; typically, a captive portal SSID for help and/or download of configuration profiles/configuration instructions (a “bootstrap” or “onboarding” network), and the real eduroam network. If your users have connected to the bootstrap network before, their devices usually remember it, and may prefer that network over the eduroam network. To prevent this, you can configure the name of your bootstrap SSID, and then during the installation process, CAT will either remove it from the client device, or at least mark it as “do not join automatically”. We recommend the use of an “eduroam-assist” SSID within Canada to support onboarding activities, especially for laptop-type devices that do not typically have cellular connectivity available as a fallback. In this case, you can configure the removal of the eduroam-assist SSID by default here, even if you have not yet established this network in your own organization. This step will save additional work later and better support users who may be doing their configuration at other locations.

Auto Detection

Auto detection will create a new profile and attempt to pre-populate your RADIUS server certificate details by extracting them. We highly recommend using this as the initial entry point.

Note: Auto-detection may require a valid username in your RADIUS server; however, some servers are quite happy to provide the necessary information using an [email protected]–style user (adjust to suit your environment).

Auto detection will open the profile page, and you can then validate the settings and continue to make edits.

Manual Configuration/Validation

For a profile, you must first set its name and description. There is also one important option: “Production-Ready.” We will not publish your ge

nerated installers on the end-user download page unless you select this option. This is to prevent accidentally downloading installers with incomplete information while you are still working on the final setup.

Auto-detection will fill out the RADIUS realm belonging to this profile, but you can still make adjustments, if needed.

Entering the realm is optional, but it is highly recommended as it enables us to do very thorough checks on your RADIUS installation later (see section “Verifying my RADIUS setup” for more details). The realm is also required for anonymous outer identity support on some devices, and you will not be able to enter the CANARIE-supplied anonymous outer identity value later without it.

Note: In Microsoft Windows, the realm for the outer identity is automatically populated from the username from the inner identity.

Additionally, the realm can be used to help ensure correct configuration of the inner identity username (must be either [email protected] or [email protected] depending on the inner identity handling choices).

It is highly recommended that you enable the anonymous outer identity to help preserve user privacy.

Canadian organizations must be configured using an anonymous outer identity in the format anonymousXXXXXX, where XXXXXX is the number issued to you by the CANARIE eduroam team. This indicates that you have configured your CAT profile, and signals to both the institution administrators (you) and us (CANARIE) that users are actively using the CAT profile.

If you don’t want users of that profile to be given an installer, you can also specify that we should send your users to your own support page instead (e.g., if you, the admin, want to generate installers but only download them yourself and present them on your own eduroam support page).

The third aspect of profile generation concerns the EAP types which you’ve configured in your RADIUS server for this user group. If auto-detection has failed, or you need to adjust the values, you can drag and drop all the EAP types you support into the upper green area. The list is displayed in order of preference, so be sure to drag the EAP types into your preferred order (most preferred at the top).

The CAT will always compare the EAP types you’ve configured here with the capabilities of the various devices that are to be configured. If the device supports your preferred EAP type, installers will always be generated for that EAP type. If your preferred EAP type does not work on a given device, it will work through the preference list until a match is found, and then installers for that device will use that EAP type. Finally, if there is a complete mismatch between the EAP types you support and the EAP types on a device, CAT will be unable to generate installers for that device. In that case, we recommend changing your RADIUS setup to support more EAP types.

The EAP type configuration is one of the two most critical settings and is a main driver for using the CAT profile. Most devices do not expose this configuration to the end-user, and it’s possible for a rogue access point to negotiate an unsecure EAP authentication method to enable credential harvesting if this isn’t set up.

3.3.1 EAP Details

In the EAP Details section, you can either upload or validate (if auto-detected) the common properties of your RADIUS installation’s EAP configuration.

For most EAP methods, the required EAP details are:

1. The Certification Authority (CA) certificate(s) which signed your EAP server certificate.
   1. always include the root CA (indicated by an “R” beside the certificate details after upload)
   1. optionally, include intermediate CAs (indicated by an “I” beside the certificate after upload)
2. The name of your server as specified in the Common Name (CN) of your EAP server certificate.

To avoid problems with some devices, we recommend using a single CN for all your RADIUS servers. See certificate guidance for more details.

Note 1 – Server Certificates

There is no need to upload the server certificate itself. It has relatively short validity and is sent during the EAP exchange during login time to the client. However, the CA certificates ARE required because they are the trust anchor on the client device that is to verify that incoming server certificate, which avoids requiring users to re-apply the CAT profile to their devices each time the certificate is updated.

Note 2 – CA Requirements

Various client device operating systems have specific requirements about which CA certificates and server certificates they accept. For more information, please see EAP Server Certificate considerations.

Note 3 – Rollover Supports

You can upload multiple root CA certificates to CAT simultaneously, which enables CA certificate rollover without a flag day. User devices configured with an upcoming new root CA ahead of time will not notice the change of server certificates from old to new trust root, so long as the Common Name of the server certificate remains unchanged during the rollover.

On the client OS, all root CAs will be installed and marked as trusted. However, the older eduroam CAT Android App for Android (4.3 to 7), will only install one certificate so it can’t be used to support CA rollover. Android 8+ should use the geteduroam App instead, or you can isolate Android users while giving everyone else multiple trust roots first. In this case, you can create a different profile (see next section) just for Android and only load the desired root CA into that profile.

Note 4 – Changing the Root of Trust

Note that any change in the root of trust will require all devices to re-apply their CAT profile using the installers to be able to continue to authenticate securely after the old root of trust is removed.

3.3.2 Overriding IdP-wide Settings

After these steps, you can enter/override helpdesk and media properties if you haven’t already done so in the organization-wide settings (see above). If you have entered one specific option organization-wide already, and you enter something different here, the settings on the profile level supersede those on the organization level.

CAT then performs a sanity check of your configuration and will flag any issues. You’ll then be sent to the Organization dashboard. From here, you can continue to download your installers, change organization or profile details, perform sanity checks, and more.

4. Generating installers for users

On the organization dashboard page, you’ll see an overview of your settings.

CAT uses this data (and all profile-specific data) to create installers. To get access to the installers, click on Installer Fine-Tuning and Download in your defined profile.

This will take you to an overview of available installers. It is displayed as a matrix of your enabled EAP types – the devices CAT knows about – and whether an installer for all the combinations is available.

	The installer is ready for use. There is a Download button available.
	CAT could create an installer for that combination, but there is a preferred EAP type which it can serve as well which has been generated instead.
	CAT does not know how to configure the EAP type on that device.
	Required information is missing for CAT to produce an installer. Go back to IdP and/or Profile settings and fill in the missing fields.
	You have set up an “exception” and CAT will not offer this combination to end-users, even if an installer may in principle be available (see next paragraph for details).

Fine-Tuning Scenarios

1. You have something special to communicate with your users. For example, hints for which password to use for EAP-TTLS, or which secretariat to turn to to get the client certificate for EAP-TLS?
2. You’ve banned Apple Smartphones from your campus and want to alert users to that end?

Solution

For these types of situations, you can:

1. Add free text for either specific EAP types or specific devices. This text will be displayed on the user download page before the download begins.
2. For devices, you can specify a Redirect target; if this is set, CAT will not provide a download button, but instead will redirect users to the URL you specified. This could, for example, be useful if you have a custom-made or commercial installer for one of the devices, and prefer not to use CATs services for that device. If this option is set, the background for this device will turn white in the matrix (see screenshot above).

You can now click the download buttons and begin using the generated installers. This is also possible for redirected devices; although your users don’t get this installer from CAT, an admin might want to have it anyway to include in your own eduroam support pages.

Updating your CAT Profile to use the geteduroam app as the default choice for Android 8+

1. Visit https://cat.eduroam.org and select Manage/eduroam® admin access 

2. Sign in using your preferred Identity Provider 

3. For the profile, select Installer-Fine Tuning and Download 

Under Android 8 and higher  

4. Click Device-specific options… 

5. Select Show the dedicated geteduroam download page for this device from the dropdown menu and ensure the box is checked. 

6. Click Save Data 

7. Repeat for other profiles.

Android 8+ users visiting cat.eduroam.org for your institution will now see the following screen instead:

5. Installer visibility on the user download page

You are in full control of which installers, if any, you want to show as well as when you want to show them on the CAT end-user download pages.

Your control options are:

• Make the EAP profile visible but redirect users to your own support pages (entry is listed, but no download on the public page). This can be set in Profile options – see screenshot.

• Make the EAP profile visible with installers but redirect certain devices to your own pages. Use the Fine-Tuning matrix to set the Redirect option for the device (see previous section).
• Make all installers visible.

All three options require confirmation that you have entered all details and have reviewed the profile to be “production-ready”. Details of your EAP deployment will not be made visible until you have declared your data is set to production-ready. Do this by adding the option with that same name in your Profile properties.

The visibility status of your EAP deployment is indicated with either a green (published) or yellow (unpublished) status icon on the Profile info (see screenshot). If the status is yellow, you can hover with your mouse over it to get a more detailed explanation why the profile is not published.

6. Verifying your RADIUS setup

If you have supplied the CAT with the realm you are using in eduroam, an extra service is enabled: the CAT can send live data probes through the eduroam infrastructure to see if your realm’s RADIUS server is reachable and whether it passes various sanity checks. These tests are triggered by clicking Check realm reachability. You will see an overview page while various tests are run in the background:

The tests will take a few moments and will give you an in-depth overview of how your RADIUS server is doing in the world of eduroam.

The tests include:

• A DNS check to determine whether your realm is publishing NAPTR records for eduroam Dynamic Discovery for RADIUS over TLS; and if so, whether all DNS records are correct (if you don’t know what Dynamic Discovery is, please talk to your national federation operator – it’s cool!). If the DNS checks were successful, the CAT will make actual use of the discovered RADIUS Dynamic Discovery server targets and try to connect. It will present a mix of valid and invalid certificates and will check whether the server acted correctly on receipt of these certificates.

• The results of actual authentication tests, sent the moment you clicked “Check realm reachability: these will not log anybody in (we don’t have actual user credentials) but even with the planned failed authentication, the CAT tool can still run several diagnostics to ensure a good experience.

The results will flag any issues that require action, for example:

• Authentication round-trip times to your realm that take more than 5 seconds are considered suspicious.
• Your server must be able to send and receive UDP fragments (some firewalls incorrectly filter these).
• There are some RADIUS attributes that are commonly present in authentication requests; some servers behave strangely on receipt – CANARIE will reach out if yours has an issue.
• Checks regarding the structure and validity of your server, intermediate and root CA certificates. These checks are thorough, covering everything described on the EAP Server Considerations page.

Below is a typical output if your server certificate is “from the 1990s” (i.e., has not been updated with recent recommendations and requirements for server certificates).

If you feel comfortable giving CAT access to short-lived, real authentication credentials (for debugging purposes with test user accounts only), you can run an actual positive authentication test, in which case we can run further diagnostics.

7. Other

8. Replacing the RADIUS server root CA certificate

9. Getting Help with eduroam CAT