eduroam CAT is the eduroam Configuration Assistant Tool. Its purpose is to support you, an eduroam Identity Provider administrator, by allowing you to generate customised eduroam installers for various platforms. If, instead of native CAT installers, you prefer to use the geteduroam app, which is now available for most platforms, you still need to provide configuration information in CAT - geteduroam will automatically download these settings after the user select the correct institution/profile.
Depending on installers used it is possible to enable customisation which includes your IdP's name, location and logo, contact details for your helpdesk. Of course the main purpose of configuration is to provide the RADIUS settings which users need to uniquely identify your IdP when roaming. The installers can be produced in many languages; that way, you can even offer your users an installer in their native language! Further to that, eduroam CAT can also assist you in debugging your own RADIUS setup by comparing your inputs to the actual behaviour of your setup in the eduroam infrastructure.
eduroam CAT can make the end-user installers available on its own user download area, or you may choose to download them yourself and distribute them on your institution's own web page. You can also choose to make only a subset of the supported platforms available for direct download, while redirecting users of select platforms to your own support page (e.g. if you have custom installers with non-standard specialities for these platforms).
Surprisingly many users do not have a clue which operating system they are using. eduroam CAT thus includes an operating system detection and automatically suggests the fitting download.

There is a "Choose another installer to download" link which takes users to the full platform selection if they so wish. A screenshot of the download area is below. Try it out yourself: hop over to https://cat.eduroam.org, and select any organisation on the download page!

eduroam CAT supports a broad selection of common end-user client devices and many EAP types.To view the full compatibility matrix of supported EAP types and devices, please visit the frontpage of eduroam CAT and click on About eduroam CAT in the About item of top menu. You will see that not all EAP types are supported on all platforms - we largely rely on the target Operating System's capabilities.
For some devices, there is little we can do, since they either do not support proper automatic configuration, or for various reasons such support cannot be used by CAT. For some select devices in that class we still offer the possibility for administrators to set a redirect target for this device. Administrators can then create a dedicated support web page to which the user will be sent for local instructions. You can find the list of these devices on the "Installer Fine-Tuning" page (see below); more devices can be added by the eduroam CAT operators; if you see a need for that please contact cat-users@lists.geant.org.
Notably, Android versions below 4.3 are not supported and likely never will be, sorry. Your helpdesk will have to take care of legacy Android users by other means.
eduroam CAT generally tries to follow vendors' end of life dates:
eduroam CAT is not replacing your helpdesk! While we hope to do you a good service by taking the technical task of generating secure installers for many platforms into our hands, we can not take your users' phone calls or tell them how to fix problems on their computers. The CAT's installers work on the target platforms if these have not been modified beyond reason by the end-user, and we hope the installation process with them is intuitive enough; but we can not give you guarantees that you will not ever hear from failing users again.
eduroam CAT follows the usual organizational model of eduroam: your national federation administrators has control over all the Identity Providers in their country.
The most common approach is to manage your institution with eduroam CAT, please let your national administrator know that you want to participate using your usual communications channels. However the national administrator may enable an option for self-registatiotion of eduroam administrators. Depending on the situation, when you log into the CAT administrator's interface, you may either just see the information that you are not managing any institution or a more expanded information telling you that according to the information stored in the eduroam database you may be eligible to create your institution instance in CAT. Your national administrator will be able to give you more detailed advice on this.
If self-registration option does not work for you then just ask your national to send you an invitation token ny email (the token is valid for 24 hours after sending it to you). You can then follow the supplied link with the token, log into the eduroam Administration interface, and start managing your institution - see the next section for details of institution and profile setup.
Under the Manage Tab, go into eduroam® admin access, you will be automatically sent to the eduroam Support Services' federated login service. This login service does not work with site-specific usernames and passwords, instead you are presented with a list of sources of identity. Choose any organization that you have an account with:
* eduGAIN: many universities across Europe have already joined the educational Global Authorisation INfrastructure - if your organization is among them, click on that institution and authenticate with your home organization's usual web login credentials.
* Social Networks: if you cannot log in with your institution's credentials (for example, because your institution is not participating in eduGAIN), you can also log in using the federated login function of several popular social networks, including, but not limited to, Google and Facebook.
Some users have noted that none of the above options suits them: e.g. their institution is not participating in eduGAIN, and they have an aversion against using social networks. We understand that if a user finds all the numerous authentication options unacceptable, then he will have a hard time logging in. However, at this moment we do not have a good solution to that problem. It might be worth considering creating a social network account just for the purpose of logging in here; even if the service portfolio offered by e.g. Google is not interesting for the user, their authentication service in itself is useful on its own.
Sometimes, when you have not used CAT for a long time, you may be unsure of how you logged in before (you may have switched from Google to a local IdP, for instance). You could then try to use IdP Reminder option on the login page.



After you've followed the invitation token from your national administrator or created the new institution yourself based on the eduroam DB contents, you'll be dropped right in the "Edit IdP" page. On that first time, you'll see a "wizard mode" which provides lots of explanatory text about the meaning of all the settings you can make. You can add and delete any of those options; don't be shy and try them all out! Adding a new option is done by pushing the corresponding button, selecting which option you want to set, and then the content of that new option. Changes will only be saved when you hit the "Continue ..." button on the bottom of the page.

When you re-visit the "Edit IdP" page later from the Institution Overview page, the explanatory texts are condensed in order not to overload the user interface. However most of the windows contain the i icon and when you click it, a help window containing the wizard information will open. This is probably most useful for new administrators added to existing institutions.

It is possible to force the wizard mode by manually adding &wizard=true to the url of your institution or profile editing page.
You can configure four of the five areas mentioned above in this first page. The RADIUS and EAP settings are configured in the more specific Profile configuration at a later stage.
The options in this area - organization name; logo, acronym, alternative names are self-explanatory. You should add several language variants so that installers and user GUI can display things in the most appropriate manner.
The reason for this option is to help the user GUI order institutions based on distance from the user location. This should be helpful in most situations, as most of your users will be probably configuring eduroam while relatively close to your institution.
You should provide information for your users. This information will be shown on the CAT download pages and also by some of the installers. The information may be given in several languages. You can also add a Terms of Use text file. This text will be shown by the installers at the start of the so that the users will be able to read and confirm.
Here, you can now configure all media properties of your eduroam setup.
The SSID "eduroam" for WPA2/AES is always configured as it is the core of the eduroam specification; you do not need to enter this one here (previous versions of eduroam CAT also installed a WPA/TKIP profile; since these are meanwhile obsolete, current CAT installers will silently remove this profile if seen during installation). The list of things you can additionally configure in "Media" are:
Profiles are the specific EAP configurations for your user group(s), and installers are always generated for specific profiles. If you only have one user group, the distinction between institution-wide and profile-wide settings does not make a difference. However, many IdPs have different user groups which share some properties, but not all. One example is where on the one hand students have username/password accounts, authenticating with PEAP and generic helpdesk contact points, and on the other hand permanent staff have TLS Client certificates with EAP-TLS and access to a better second-level helpdesk just for them.
eduroam CAT makes it easy to manage multiple user group profiles for one institution. Shared properties for media properties and helpdesk details can be defined institution-wide (which makes them immediately available in all profiles) or per-profile (the property then is only defined for this specific profile). You can also define institution-wide settings and override them in specific profiles.
Once you have completed the Institution-wide information you will be sent to the institution overview page where you will find two profile creation buttons.

They are used to create your profiles. You can use either of them, so here are the reasons to choose one.
Use this one if one of the conditions below is true:
This will save a bit of work but only if all below conditions are met:
You will need to provide an outer username that will be accepted by your server (no password is necessary as no actually connection will be made). CAT will then reach you server and try to validate the server certificate against the well-known CAs. If one is found then it will be marked in the CAT profile as the one to be trusted. Your server name will also be retrieved from the server certificate and added to CAT settings. Finally the outer username will ne used to set up realm information and the name used for anonymous authentication. You will find all these settings already filled in when you are taken to the profile editing page.
If you are going to use a single profile for your institution then you do not need to set up neither profile name nor description, as they will not be shown anyway. If you have multiple profiles, both of these are necessary and should be provided in multiple languages if you find this appropriate.
There is also one very important important option: "Production-Ready". We will not publish your generated installers on the end-user download page unless you set this option and check the box. This is to prevent that people accidentally download installers with incomplete information while you are still working on the final setup.

CAT also asks for the RADIUS realm belonging to this profile; submitting the realm name is optional, but highly recommended because it enables us to do very thorough sanity checks on your RADIUS installation later. Please see the section "Verifying my RADIUS setup" for more details.
You can also decide whether you want the generated installers to be configured with an anonymous outer identity, and what that identity should be. This is a very important privacy-preserving option. Without it the actual username becomes visible to every site that this user visits.
If you want users of that profile NOT to be given an installer from the CAT page, you can also specify that we should send your users to your own support page instead. A typical use case for that is if you, the admin, want to generate installers but only download them yourself and present them on your own eduroam support page.

The third part of profile generation is about the EAP types which you've configured in your RADIUS server for this user group. By simple drag&drop, please drag all the EAP types you support into the upper green area. The list is ordered by preference, so drag the EAP types into your preferred order. The CAT will always compare the EAP types you've configured here with the capabilities of the various devices which are to be configured. If the device supports your most preferred EAP type, installers will always be generated for that EAP type. If your preferred EAP type does not work on a given device, the preference list is worked through until a match occurs, and then installers for that device will use that not-so-preferred EAP type (which is better than not supporting eduroam configuration at all). Finally, if there is a complete mismatch between the EAP types you support and the EAP types on a device, then we can't generate installers for that device. You might be luckier if you can change your RADIUS setup to support more EAP types then.

In the EAP Details section, you can upload common properties of your RADIUS installation's EAP configuration. If you have used the autodetect setup then this section will be filled and you probably do not need to do anything (unless your servers use separate names and in such case you need to add them all).
For most EAP methods, the required EAP details are
Note 1 - root certificates
Root CA certificates are needed because they are the trust anchor on the client device which it uses to verify that incoming server certificate.
Note2 - intermediate certificates
these are only useful when your RADIUS server is not sending them during the connection.
Note3 - server certificates
There is no point in uploading the server certificate itself. The server certificate is sent during the EAP exchange during login time to the client. Therefore server certificates (i.e. not providing Basic Constraints set to TRUE) will not be accepted
For more information about certificates see here.
Note 4 - CA rollover support
You can upload multiple root CA certificates simultaneously to CAT. This enables CA certificate rollover without a flag day: User devices which were configured with an upcoming new root CA ahead of time will then not even notice the change of server cert from old to new trust root (so long as the Common Name of the server certificate remains unchanged during the rollover).
On the client OSes, all root CAs will be installed and all will be marked trusted. In Windows such certificates also become trusted for all purposes, not just WiFi. Or you can isolate Android users while giving everyone else multiple trust roots early, in this case you can create a different profile (see next section) just for Android and only load the desired root CA into that profile.
Note 5 - expiring certificates
If CA certificates in your configuration expire then your installers will stop working. CAT profile page will show you warnings when the expiry time is getting closer and then use the rollover procedure to supply new ones in time. Unfortunately users configured with the expired certificate only will need to rerun the installation procedure. The same is true if for some reason you need to change the root CA to a new one.
After these steps, you can enter/override helpdesk and media properties if you haven't done so on the institution-wide settings already (see above). If you have entered one specific option institution-wide already, and you enter something else here, then the settings on profile level supersede the institution-level ones.
That's all - the CAT then proceeds to a sanity check of the things you have configured and will tell you about any things which need fixing, it any. You are then transported to the Institution dashboard - from where you can continue to download your installers, change institution or profile details, perform sanity checks and more.
OpenRoaming is a Wi-Fi roaming consortium independent from eduroam, but using similar underlying technologies. You can find more details about this consortium and eduroam's interaction, and information for eduroam end users.
eduroam has created infrastructure that allows eduroam IdPs to enable their end-users for joining OpenRoaming hotspots. This
General information and details about the technical setup can be found at Roaming on Passpoint-based network infrastructure (incl. OpenRoaming) (notably the "eduroam IdP" section there). Only the CAT-specific steps are described below:
Enabling OpenRoaming with CAT
Starting with version 2.1, the eduroam onboarding toolset (eduroam CAT and eduroam Managed IdP) integrates Passpoint network definitions in general, and OpenRoaming settings in particular, in its standard workflow. You can enable OpenRoaming by setting the option of that name in the "Media Properties" section:

If you do not see this option, then your National Roaming Operator (NRO) did not enable the functionality in their country or region yet. Please speak to your NRO in that case.
This option can have one out of four states. This is due to two choices you have to make about OpenRoaming inclusion into installers:
1) Do you want to give every end user the choice to decide whether they want to join OpenRoaming networks?
2) Do you inform your end users about the OpenRoaming Terms and Conditions yourself out-of-band, or should this be done by CAT?
Unsurprisingly, this maps to the four choices and end-user download interface:
| Option Value | Meaning | End-User download interface | 
|---|---|---|
| Ask User | User is asked to make a choice; OpenRoaming Terms and Conditions have to be acknowledged during the download process | two buttons and a "Accept T&C" checkbox | 
| Ask User; T&C Pre-Agreed | User is asked to make a choice; no need to acknowledge OpenRoaming Terms and Conditions explicitly because this has been done by the IdP | two buttons ("eduroam" and "eduroam and OpenRoaming") | 
| Always | All users always gets an eduroam + OpenRoaming installer, but have to acknowledge the OpenRoaming Terms and Conditions during the download process | one button and a "Accept T&C" checkbox | 
| Always; T&C Pre-Agreed | All users always get an eduroam + OpenRoaming installer, no need to acknowledge OpenRoaming Terms and Conditions because this has been done by the IdP | one button ("eduroam and OpenRoaming") | 
| (not set) | no OpenRoaming, just eduroam | one button ("eduroam") | 
There is an important consideration that you should know about. The geteduroam application which becomes a more am more popular means of eduroam setup uses configuration from CAT, but has some limitations regarding OpenRoaming. It will only support the Always; T&C Pre-Agreed option. Therefore if you want to provide OpenRoaming support and still leave your users choice if they want to have it or not, you might create two nearly identical profiles, named, for instance "eduroam only" and the other "eduroam and OpenRoaming". To save yourself work you can simply use the "Duplicate profile" functionality and then change the minimal details on the copy. Please remember that OperRoaming users are supposed to understand and accept specific OpenRoaming Terms and Conditions.
DNS setup verification
After enabling OpenRoaming, CAT will execute checks that verify whether your RADIUS realm is correctly configured in DNS. You see the results of this check in the Submission Summary page in your enabled profiles. Please attend to all warnings and errors thoroughly to make sure OpenRoaming will actually work for your users in the field.
These checks can be repeated any time using the "Check Realm Reachability" button (see "Verifying my RADIUS Setup" below). The check page has a new tab for the OpenRoaming checks:

Unfortunately, currently IPv6 connectivity tests are not implemented, so you will receive a warning about those. This will be fixed soon (2.1.1 or a hotfix release).
Technical ability to support OpenRoaming in installers
Support is currently limited to the following operating systems:
| OS family | Notes | 
|---|---|
| Windows 10+ | Depends on chipset and driver capabilities. If not supported, OpenRoaming will be silently ignored during installation. | 
| Apple | CAT native installer (mobileconfig): only works for PEAP and EAP-TLS. The password prompt for OpenRoaming during install is "ugly": geteduroam installer, TTLS support is possible (see extra explanation about geteduroam limits below) | 
| Android 8+ | OpenRoaming availability depends on vendor build and chipset support. | 
| Android 11+ | supported | 
Note on geteduroam and user choice: the in-app workflow only installs OpenRoaming if one the "Always" variants has been selected. If "Ask user" has been selected, geteduroam in-app workflow will only install eduroam, not OpenRoaming. "Ask user" will soon work (2.1.1 or as a hotifx) by downloading the Android installer from the end-user download interface of CAT and an "Open with ... geteduroam" (known as 'side-loading' in geteduroam).
By default the profiles are ordered chronologically, but you can easy reorder them by clicking the Change the order of profiles button. You will then be shown a drag&drop interface to do the reordering.
In some cases you may need to create a new profile based on the one you have. You can then need to click the Duplicate this profile button. You will be asked to provide a new name for the duplicate and it will be automatically created with all settings, except that the new profile will bot be set as "production ready", you will need to do this manually once you are done with all corrections.
On the institution dashboard page, you see the most important pieces of data that you have entered.

This data (and all profile-specific data) is used to create installers from. To actually get access to the installers, click on the "Installer Fine-Tuning and Download" button in your defined profile.

This will take you to the overview of available installers. It takes the form of a matrix of your enabled EAP types, the devices CAT knows about, and whether or not an installer for all the combinations is available.

Maybe you have something special to communicate to your users? E.g. hints which password to use for EAP-TTLS, or which secretariat to turn to to get the client certificate for EAP-TLS? Maybe you ban Apple Smartphones from your campus and want to alert users to that end?
For all these options, the Fine-Tuning page has extra buttons: you can add free-text for either specific EAP Types or specific devices. This text will then be displayed on the user download page before the download begins. For devices, you can also specify a Redirect target; if this is set, CAT will not provide a download button, but instead will redirect users to the URL you specified. This could, for example, be useful if you have a custom-made or commercial installer for one of the devices, and don't want to use CATs services for that device. If this option is set, the background for this device will turn white in the matrix (see screenshot above).


You can now push the download buttons and use the generated installers as you see fit. This is also possible for redirected devices; even though your users don't get this installer from CAT, you as an admin might want to have it anyway, e.g. to include it in your own eduroam support pages.
You are in full control which of the installers, if any, and when you want to show on the CAT end-user download pages. Your control options are as follows:

All of three options will require confirmation by you that you have entered all details and have reviewed the profile to be "production-ready". No details of your EAP deployment will be made visible until you have declared your data set production-ready. You do this by adding the option with that same name in your Profile properties.
The visibility status of your EAP deployment is indicated with either a green (published) or yellow (unpublished) status icon on the Profile info (see screenshot). If the status is yellow, you can hover with your mouse over it to get a more detailed explanation why the profile is not published.

If you have supplied the CAT with the realm which you are using in eduroam, an extra service is enabled for you: the CAT can send live data probes through the eduroam infrastructure to see if your realm's RADIUS server is reachable and whether it passes various sanity checks. All these tests are triggered by pushing the button "Check realm reachability". You will be presented with an overview page immediately while various tests are executed in the background:

The tests will take a few to several tens of seconds, and will give you an in-depth overview of how your RADIUS server is doing in the world of eduroam. The tests include

          

A full access WEB API makes it possible to create different user interfaces to CAT. In particular you can list countries with configured institutions, list institutions globally or within a country, list profiles within institution, ask for the institution logo or even geolocate users's IP address and, of course download installers for given user profiles and devices.
CAT 1.1 Windows installers can be run silently with the /S flag, which is useful for institutions which want to build the installers into their own, larger ones.
When your RADIUS server's root CA certificate is about to expire and you need to replace it with a new one, the new CA certificate needs to be communicated to all your users' devices. The procedure to achieve this is as follows:
1. Create a new “migration” eduroam profile in eduroam CAT, containing both the current and new root CA certificates. All previous eduroam CAT profiles should be deleted to avoid them being used. (Caveat: this new profile will not work as intended for Android < 7.1 devices).
2. Require all new and existing end-users to download the “migration” profile. Their devices, except for Android < 7.1, will then be capable of trusting both the current and the new CA, and will accept server certificates from either CA.
3. Once you are confident that all end-user devices have the “migration” profile installed, apply the new server certificate on the Radius server(s). Ideally, the host name in the certificate CN/subjectAltNames should be identical to the old server certificate. (Caveat: Android < 7.1 devices configured with the old root CA will now no longer be able to authenticate, they will need to install a new profile containing just the new root CA).
4. Create a new “permanent” eduroam profile in eduroam CAT, containing only the new root CA certificate. Delete the “migration” eduroam profile.
5. Require all existing Android < 7.1 users, and all new users, to download the new profile.
If you have any questions about the eduroam CAT website or the underlying software, don't hesitate to ask on the mailing list cat-users@lists.geant.org . If possible, please subscribe to the list before posting; this guarantees that you'll get replies even if someone forgets a "reply to all", and also ensures that your post doesn't accidently get classified as spam and discarded.