Versions Compared

Old Version 4

changes.mady.by.user Tomasz Wolniewicz

Saved on

compared with

New Version 5

changes.mady.by.user Tomasz Wolniewicz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

eduroam CAT makes it easy to manage multiple user group profiles for one institution. Shared properties for media properties and helpdesk details can be defined institution-wide (which makes them immediately available in all profiles) or per-profile (the property then is only defined for this specific profile). You can also define institution-wide settings and override them in specific profiles.

In the first-time wizard, the CAT automatically takes you to the profile creation page as soon as the institution-wide settings are submitted.

If you are going to use a single profile for your institution then you do not need to set up neither profile name nor description, as they will not be shown anyway. If you have multiple profiles, both of these are necessary and should be provided in multiple languages if you find this appropriate. 

Once you have completed the Institution-wide information you will be sent to the institution overview page where you will find two profile creation buttons.

Image Added

They are used to create your profiles. You can use either of them, so here are the reasons to choose one.

Manual setup

Use this one if one of the conditions below is true:

  • your RADIUS server is not yet reachable via the eduroam infrastructure, perhaps you are testing it locally and you want to see how the installers will work;
  • your RADIUS server uses a certificate from a private CA.

Autodetect server details

This will save a bit of work but only if all below conditions are met:

  • your RADIUS server is reachable via the eduroam infrastructure;
  • your RADIUS server uses a certificate from a public CA (i.e. one listed in general certificate stores).

You will need to provide an outer username that will be accepted by your server (no password is necessary as no actually connection will be made). CAT will then reach you server and try to validate the server certificate against the well-known CAs. If one is found then it will be marked in the CAT profile as the one to be trusted. Your server name will also be retrieved from the server certificate and added to CAT settings. Finally the outer username will ne used to set up realm information and the name used for anonymous authentication. You will find all these settings already filled in when you are taken to the profile editing page.

Profile settings

General properties

If you are going to use a single profile for your institution then you do not need to set up neither profile name nor description, as they will not be shown anyway. If you have multiple profiles, both of these are necessary and should be provided in multiple languages if you find this appropriate. 

There is also There is also one very important important option: "Production-Ready". We will not publish your generated installers on the end-user download page unless you set this option and check the box. This is to prevent that people accidently accidentally download installers with incomplete information while you are still working on the final setup.

The CAT also asks for the RADIUS realm belonging to this profile; submitting the realm name is optional, but highly recommended because it enables us to do very thorough sanity checks on your RADIUS installation later.  Please see the section "Verifying my RADIUS setup" for more details.

...

 If you want users of that profile NOT to be given an installer form from the CAT page, you can also specify that we should send your users to your own support page instead. A typical use case for that is if you, the admin, want to generate installers but only download them yourself and present them on your own eduroam support page.

EAP types

The third part of profile generation is about the EAP types which you've configured in your RADIUS server for this user group. By simple drag&drop, please drag all the EAP types you support into the upper green area. The list is ordered by preference, so drag the EAP types into your preferred order. The CAT will always compare the EAP types you've configured here with the capabilities of the various devices which are to be configured. If the device supports your most preferred EAP type, installers will always be generated for that EAP type. If your preferred EAP type does not work on a given device, the preference list is worked through until a match occurs, and then installers for that device will use that not-so-preferred EAP type (which is better than not supporting eduroam configuration at all). Finally, if there is a complete mismatch between the EAP types you support and the EAP types on a device, then we can't generate installers for that device. You might be luckier if you can change your RADIUS setup to support more EAP types then.

Image RemovedImage Added

EAP Details

In the EAP Details section, you can upload common properties of your RADIUS installation's EAP configuration. If you specify something here, the settings will be used for all the user profiles you define (see below), unless you choose to override them in one of the profileshave used the autodetect setup then this section will be filled and you probably do not need to do anything (unless your servers use separate names and in such case you need to add them all).

For most EAP methods, the required EAP details are

  • The Certification Authority (CA) certificate(s) which signed your EAP server certificate
    • always include the root CA (root CAs are indicated with a blue circled "R" besides the certificate details after upload)
    • optionally include intermediate CAs (intermediate or server certificates are indicated with a blue circled ("I") besides the certficate certificate after upload)
  • The name of your server as specified in the Common Name (CN) of your EAP server certificate

...

  • your EAP server certificate
Note 1 - root certificates

Root CA certificates are needed because they are the trust anchor on the client device which it uses to verify that incoming server certificate.

Note2 - intermediate certificates

these are only useful when your RADIUS server is not sending them during the connection.

Note3 -  server certificates

There is no point in uploading the server certificate itself. The server certificate is sent during the EAP exchange during login time to the client. Contrary to that, the CA certificates are needed because they are the trust anchor on the client device which it uses to verify that incoming server certificate.

Note 2 - CA requirements

Various client device operating systems have specific requirements about which CA certificates and server certificates they accept. For more information, please see EAP Server Certificate considerations.

...

Therefore server certificates (i.e. not providing Basic Constraints set to TRUE) will not be accepted 

For more information about certificates see here.

Note 4 - CA rollover support

You can upload multiple root CA certificates simultaneously to CAT. This enables CA certificate rollover without a flag day: User devices which were configured with an upcoming new root CA ahead of time will then not even notice the change of server cert from old to new trust root (so long as the Common Name of the server certificate remains unchanged during the rollover).unchanged during the rollover).

On the client OSes, all root CAs will be installed and all will be marked trusted. In Windows such certificates also become trusted for all purposes, not just WiFi. Or you can isolate Android users while giving everyone else multiple trust roots early,  in this case you can create a different profile (see next section) just for Android and only load the desired root CA into that profile.

Note 5 - expiring certificates

If CA certificates in your configuration expire then your installers will stop working. CAT profile page will show you warnings when the expiry time is getting closer and then use the rollover procedure to supply new ones in time. Unfortunately users configured with the expired certificate only will need to rerun the installation procedure. The same is true if for some reason you need to change the root CA to a new oneOn the client OSes, all root CAs will be installed and all will be marked trusted. The eduroam CAT Android App, however, will only install one certificate and can thus not be used to support CA rollover. Please use the geteduroam App instead. Or you can isolate Android users while giving everyone else multiple trust roots early,  in this case you can create a different profile (see next section) just for Android and only load the desired root CA into that profile.

Overriding IdP-wide Settings

After these steps, you can enter/override helpdesk and media properties if you haven't done so on the institution-wide settings already (see above). If you have entered one specific option institution-wide already, and you enter something else here, then the settings on profile level supersede the institution-level ones.Image Removed
 

That's all - the CAT then proceeds to a sanity check of the things you have configured and will tell you about any things which need fixing, it any. You are then transported to the Institution dashboard - from where you can continue to download your installers, change institution or profile details, perform sanity checks and more.

...