Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

There is also a lightweight download page for resource-contrained mobile devices. It also includes the operating system detection.

Image Removed  Image Removed

Device Support

eduroam CAT supports a broad selection of common end-user client devices and many EAP types.To view the full compatibility matrix of supported EAP types and devices, please visit the frontpage of eduroam CAT and click on "About eduroam CAT" on the left-hand side. You will see that not all EAP types are supported on all platforms - we largely rely on the target Operating System's capabilities.

...

TTLS Support for Windows XP, Vista, and 7

...

  • ChromeOS products: https://support.google.com/chrome/a/answer/6220366
  • Android products: there is no clear support strategy that could be linked against. Status as of Oct 2021 is that apparently Android 8.1 AOSP is the oldest that still receives security updates.

Scope

eduroam CAT is not replacing your helpdesk! While we hope to do you a good service by taking the technical task of generating secure installers for many platforms into our hands, we can not take your users' phone calls or tell them how to fix problems on their computers. The CAT's installers work on the target platforms if these have not been modified beyond reason by the end-user, and we hope the installation process with them is intuitive enough; but we can not give you guarantees that you will not ever hear from failing users again.

...

There are basically four groups of information which we need to ask of you before we can create good-looking installers for you:
 * general information about your institution (e.g. logo, approximate location, name)

 Image Modified

 * helpdesk contact details (mail, phone, web)

Image Modified

 * media properties (e.g. SSIDs, wired support)

Image Modified

 * RADIUS and EAP details

Image Modified


To the largest extent possible, all the information is optional. If you choose not to let us know all the details we will still create installers, but they just won't contain as much information as they could. Please consider giving us as much information as possible.

...

You can upload multiple root CA certificates simultaneously to CAT. On all supported client OSes, all of them will be installed and all will be marked trusted. This enables CA vertificate rollow certificate rollover without a flag day: User devices which were configured with an upcoming new root CA ahead of time will then not even notice the change of server cert from old to new trust root (so long as the Common Name of the server certificate remains unchanged during the rollover).

Almost all CAT-support client operating systems support mutliple trust roots. There is only one fraction of CAT-supported client OSes which does not support multiple root CAs: Android versions < 7.1. For those, due to an API limitation we are not able to do anything about, only one root CA will be installed; the API also cannot install any intermediate CAs at all. To On the client OSes, all root CAs will be installed and all will be marked trusted. The eduroam CAT Android App, however, will only install one certificate and can thus not be used to support CA rollover. Please use the geteduroam App instead. Or you can isolate Android users while giving everyone else multiple trust roots early,  in this case you could can create a different profile (see next section) just for Android and only load the desired root CA into that profile). Android 7.1 finally got its support for multiple trust roots; the eduroamCAT app will support that in a future update.

Given the update situation on the Android platform, it is naive to think that the unsupported root CA rollover problem will wither out in anything less than five years.  There is unfortunately nothing we can do about it.

.

Overriding IdP-wide Settings

...

CAT 1.1 Windows installers can be run silently with the /S flag, which is useful for institutions which want to build the installers into their own, larger ones.

Replacing the RADIUS server root CA certificate

When your RADIUS server's root CA certificate is about to expire and you need to replace it with a new one, the new CA certificate needs to be communicated to all your users' devices. The procedure to achieve this is as follows:


1. Create a new “migration” eduroam profile in eduroam CAT, containing both the current and new root CA certificates. All previous eduroam CAT profiles should be deleted to avoid them being used. (Caveat: this new profile will not work as intended for Android < 7.1 devices).

2. Require all new and existing end-users to download the “migration” profile. Their devices, except for Android < 7.1, will then be capable of trusting both the current and the new CA, and will accept server certificates from either CA.

3. Once you are confident that all end-user devices have the “migration” profile installed, apply the new server certificate on the Radius server(s). Ideally, the host name in the certificate CN/subjectAltNames should be identical to the old server certificate. (Caveat: Android < 7.1 devices configured with the old root CA will now no longer be able to authenticate, they will need to install a new profile containing just the new root CA).

4. Create a new “permanent” eduroam profile in eduroam CAT, containing only the new root CA certificate. Delete the “migration” eduroam profile.

5. Require all existing Android < 7.1 users, and all new users, to download the new profile.

Getting Help with eduroam CAT

...