...
The reason for still including WPA/TKIP is that your users may roam to other hotspots which may not have made the transition to AES yet. When TKIP is configured, eduroam will continue to work for your users at these hotspots; otherwise, they would have to reconfigure their computer.
In the EAP Details section, you can upload common properties of your RADIUS installation's EAP configuration. If you specify something here, the settings will be used for all the user profiles you define (see below), unless you choose to override them in one of the profiles.
For most EAP methods, the required EAP details are
- The Certification Authority (CA) certificate(s) which signed your EAP server certificate
- always include the root CA (root CAs are indicated with a blue circled "R" besides the certificate details after upload
- optionally include intermediate CAs (intermediate or server certificates are indicated with a blue circled ("I") besides the certficate after upload
- The name of your server as specified in the Common Name (CN) of your EAP server certificate
Note that there is no point in uploading the server certificate itself. The server certificate is sent during the EAP exchange during login time to the client. Contrary to that, the CA certificates are needed because they are the trust anchor on the client device which it uses to verify that incoming server certificate.
Also note that various client device operating systems have specific requirements about which CA certificates and server certificates they accept. For more information, please see EAP Server Certificate considerations.
Profiles
Profiles are the specific EAP configurations for your user group(s), and installers are always generated for specific profiles. If you only have one user group, the distinction between institution-wide and profile-wide settings does not make a difference. However, many IdPs have different user groups which share some properties, but not all. One example is where on the one hand students have username/password accounts, authenticating with PEAP and generic helpdesk contact points, and on the other hand permanent staff have TLS Client certificates with EAP-TLS and access to a better second-level helpdesk just for them.
...
After these steps, you can enter helpdesk and certificate details if you haven't done so on the institution-wide settings already (see above). If you have entered one specific option institution-wide already, and you enter something else here, then the settings on profile level supersede the institution-level ones. For certificates this means: if you upload one CA certificate on the profile level, all CAs which you may have defined on the institution-wide page already will be ignored for this profile.
That's all - the CAT then proceeds to a sanity check of the things you have configured and will tell you about any things which need fixing, it any. You are then transported to the Institution dashboard - from where you can continue to download your installers, change institution or profile details, perform sanity checks and more.
...