...

CAT 1.1 Windows installers can be run silently with the /S flag, which is useful for institutions which want to build the installers into their own, larger ones.

Replacing the RADIUS server root CA certificate

When your RADIUS server's root CA certificate is about to expire and you need to replace it with a new one, the new server CA certificate needs to be communicated to all your users' devices. The procedure to achieve this is as follows:

...

1. Create a new “migration” eduroam profile in eduroam CAT, containing both the current and new root CA certificates. All previous eduroam CAT profiles should be deleted to avoid them being used. (Caveat: this new profile will not work as intended for Android < 7.1 devices).

2. Require all new and existing end-users to download the “migration” profile. Their devices, except for Android < 7.1, will then be capable of trusting both the current and the new CA, and will accept server certificates from either CA.

3. Once you are confident that all end-user devices have the “migration” profile installed, apply the new server certificate on the Radius server(s). Ideally, the host name in the certificate CN/subjectAltNames should be identical to the old server certificate. (Caveat: Android < 7.1 devices configured with the old root CA will now no longer be able to authenticate, they will need to install a new profile containing just the new root CA).

4. Create a new “permanent” eduroam profile in eduroam CAT, containing only the new root CA certificate. Delete the “migration” eduroam profile.

5. Require all existing Android < 7.1 users, and all new users, to download the new profile.

...