A guide to eduroam CAT for institution administrators
eduroam CAT: purpose and scope
eduroam CAT is the eduroam Configuration Assistant Tool. Its purpose is to support you, an eduroam Identity Provider administrator, by allowing you to generate customised eduroam installers for various platforms. The customisation includes your IdP's name, location and logo, contact details for your helpdesk, and of course the RADIUS settings which users need to uniquely identify your IdP when roaming. The installers can be produced in many languages; that way, you can even offer your users an installer in their native language! Further to that, eduroam CAT can also assist you in debugging your own RADIUS setup by comparing your inputs to the actual behaviour of your setup in the eduroam infrastructure.
eduroam CAT can make the end-user installers available on its own user download area, or you may choose to download them yourself and distribute them on your institution's own web page. You can also choose to make only a subset of the supported platforms available for direct download, while redirecting users of select platforms to your own support page (e.g. if you have custom installers with non-standard specialities for these platforms).
eduroam CAT supports a variety of of typical end-user client devices. In particular, it can generate eduroam installers for these platforms:
- Microsoft Windows 8
- Microsoft Windows 7
- Microsoft Windows Vista
- Microsoft Windows XP (Service Pack 3)
- Mac OS X Mountain Lion
- Mac OS X Lion
- iPhone, iPad, iPod touch
- many Linux distributions
As of right now, it notably does NOT support Android, sorry. Your helpdesk will have to take care of Android users by other means.
The support for all the above devices covers many common EAP types; however not all EAP types are supported on all platforms - we largely rely on the target Operating System's capabilities.
eduroam CAT is not replacing your helpdesk! While we hope to do you a good service by taking the technical task of generating secure installers for many platforms into our hands, we can not take your users' phone calls or tell them how to fix problems on their computers. The CAT's installers work on the target platforms if these have not been modified beyond reason by the end-user, and we hope the installation process with them is intuitive enough; but we can not give you guarantees that you will not ever hear from failing users again.
To see how the end-user area looks like, take a look at the following screenshot or try it out live: just hop over to https://cat-test.eduroam.org. You can select any institution, like "RESTENA Foundation" in Luxembourg, to get to the download page of the installers for that institution.
Enrolling my institution for eduroam CAT
Step 1: Requesting an entry for your institution
eduroam CAT follows the usual organizational model of eduroam: your national federation administrator has control over all the Identity Providers in his country. To manage your institution with eduroam CAT, please let your national administrator know that you want to participate using your usual communications channels.
If he finds you eligible for the service, he will send you an invitation email with a token (the token is valid for 24 hours after sending it to you). You can then follow the supplied link with the token, log into the eduroam Administration interface, and start managing your institution - see the next section for details of institution and profile setup.
How to log into eduroam CAT?
When clicking on the Administration interface link, you will be automatically sent to the eduroam Support Services' federated login service. This login service does not work with site-specific usernames and passwords; instead you are presented with a list of sources of identity. Choose any organization that you have an account with:
* eduGAIN: many universities across Europe have already joined the educational Global Authorisation INfrastructure - if your organization is among them, click on that institution and authenticate with your home organization's usual web login credentials
* Experimental: some institutions are in the process of joining eduGAIN, but are not production-level members; if that is the case for your institution, you might find your institution's authentication service in this Experimental list
* Social Networks: if you cannot log in with your institution's credentials (for example, because your institution is not participating in eduGAIN), you can also log in using the federated login function of several popular social networks, including, but not limited to, Google and Facebook.
Some users have noted that none of the above options suits them: e.g. their institution is not participating in eduGAIN, and they have an aversion against using social networks. We understand that if a user finds all the numerous authentication options unacceptable, then he will have a hard time logging in. However, at this moment we do not have a good solution to that problem. It might be worth considering creating a social network account just for the purpose of logging in here; even if the service portfolio offered by e.g. Google is not interesting for the user, their authentication service in itself is useful on its own.
Configuring my institution's properties
explain inst-wide settings and that multiple profiles are possible. Lots of details for some of the settings. Screenshots.
Generating installers for my users
Fine-tuning page, production-ready flag. screenshots.
Verifying my RADIUS setup
explain realm testing tool. Note UDP frag check, Op-Name; most admins will probably have neglected these things.