The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hello,

please allow me to cc the 
cat-users AT geant.net
 mailing list; answers such
as this one are of benefit for the entire community.

> I am writing to you regarding the eduroam CAT, which we highly
> appreciate and would like our users to benefit from.
> 
> After following the eduroam CAT guide for institution administrators,
>  
> https://confluence.terena.org/display/H2eduroam/A+guide+to+eduroam+CAT+for+institution+administratorsI
> encounter difficulties while testing the  generated installers. For
> example, On Mac OS X (Mountain) Lion an eduroam profile is created but
> it is impossible to join eduroam network. On Windows 7, I have noticed
> that the installer is trying to use TKIP encryption. On our campus
> (University of Lausanne Switzerland) we recently changed the eduroam
> WLAN configuration from WPA mixed to WPA2-Enterprise (AES).

eduroam CAT always produces one installer for the SSID eduroam which is
configured for both WPA/TKIP and WPA2/AES. If your network is running
WPA2/AES, then this is of course supported.

On your Windows 7, you may have noticed that the profile is called
"eduroam (with TKIP)" (not "exclusively" TKIP) - when the computer
chooses this profile this does NOT mean it is trying to connect via
TKIP. If the network eduroam is shown in your networks list as being
compatible with this profile, then the Operating System makes the "right
choice" by itself.

The reason for still including WPA/TKIP is that your users may roam to
other hotspots which may not have made the transition. When TKIP is
configured, eduroam will continue to work for your users at these
hotspots; otherwise, they would have to reconfigure their computer.

> I suspect that the issue is due to the TKIP encryption type. Is there a
> way to choose between TKIP and AES, while configuring eduroam CAT in
> order to obtain the installers?
> 
> I must be doing something wrong in the configuration procedure.

The choice to configure the "eduroam" for both TKIP and AES is done
automatically and is not configurable. If you have an additional SSID
which you deploy only in your university, then you have full control
whether or not you want to include the legacy TKIP support by selecting
either the option "Additional SSID" or "Additional SSID (with TKIP)"
where the former one obviously means AES-only.

On your connectivity issue, I contemplate from what you write that
neither Mac OS nor Windows function at all. That is very unusual; we
have many IdPs for which all installers work exactly as advertised.

Are you sure your RADIUS infrastructure is working correctly?
Did you run the realm reachability checks, and do they show an error?
Can you connect to the eduroam network if connecting with manual
configuration instead of CAT installers?

If the answers to the above are Yes, Ran it with no problems, and Yes,
then I suggest you let me take a look at your CAT institution. You can
grant me access by inviting my e-mail address as a co-admin for the
institution with the "Add/Remove Administrators" button.

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

Attachment: signature.asc
Description: OpenPGP digital signature