The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Paul Menzel <pmenzel AT molgen.mpg.de>]

Dear Tomasz,


Thank you for taking the time to reply.

Am 18.07.23 um 21:39 schrieb Tomasz Wolniewicz:

> I suppose the difference between a static page and a jQuery application 
> is a matter of taste.

I disagree. If you can abstain from JavaScript (jQuery, …), then this is 
preferred, from several perspectives:

1.  Accessibility
2.  People using browsers with no JavaScript support
3.  Maintenance
4.  Security
5.  Sustainability

All the organization page is not usable in console based browsers like 
links.

> We have designed CAT so that you can develop multiple "skins" that
> you can specify by the request argument. In fact we never got as far
> as creating another skin, but this possibility would allow you to
> play with an alternative approach while not breaking the current
> GUI.

In our IT group we do not have the resources to develop a custom skin. 
Even, if we had, I think, we wouldn’t invest it in a custom skin.

> If you really do not like the workflow provided by CAT than you can 
> easily change it. Build your own info pages, then make them to be 
> redirection targets from CAT. On your local instruction pages use deep 
> links to CAT installers and you will achieve the same result with the 
> design that you find best suited for your users. I believe you do pretty 
> much that on your pages, but not use CAT redirects.

As written, I am not able to put any resources into it, and we would 
have liked to also not have to create custom documentation. As every 
institution/organization seems to have to do this, this is quite a lot 
of duplicated work, which would be good to avoid.

> As Stefan mentioned, we are expecting to turn to the application 
> approach. You say you are not  fan, but there are also very good 
> arguments why an app is good;

As I am only dealing with Eduroam casually, I do not know how the 
project works, and why it’s necessary to redesign it. It’d be great if 
you pointed me to a “design page”, and if you could also clarify if 
there was some kind of survey to get feedback from the Eduroam users.

> a) With the app approach you do not really need OS specific 
> instructions, the workflow can be identical everywhere and the app just 
> does most of the work.

It is still subpar to a native OS approach.

> b) An app could realise that the root certificate is going to expire 
> and notify to do an update of the installation profile, or do that in 
> the background.

Is there a design document for that? Currently most of our users 
de-install the app after they set up Eduroam.

> c) The app can be well suited for the given OS giving a better user 
> experience

I am a GNU/Linux guy, so I can only speak from that perspective, and I 
cannot imagine how that will be ever true for distributions.

> d) Our Windows installers are built per institution. They are signed, of 
> course, but systems depending on app reputation can give a higher score 
> to a single universal app.

Is there no generic way how to configure a WPA2 Enterprise connection on 
Microsoft Windows. Have you ever opened an issue with Microsoft or 
talked to the developers?

> e) For Apple devices we provide the mobileconfig files but Apple made it 
> quite difficult to install them, again an app just takes care of all the 
> complexity.

Have you opened an issue at Apple for such a feature?

> Your Android instructions are to install the app and then go to CAT to 
> the the profile. This is not necessary. Install the app and use it to 
> select the institution. The app will pull the profile from CAT and do 
> the installation.

I have experienced it myself once, that our institute wasn’t found in 
the list, and other users reported the same.

> You suggest supporting ONC format, this can be done but using it will 
> require very specific instructions for a given device.

I do not see how that is true on GNU/Linux, if NetworkManager supports a 
configuration file format (whatever that is).

> Some more answers below
>
>
> W dniu 14.07.2023 o 15:31, Paul Menzel (via cat-users Mailing List) pisze:

> > Due to the DFN PKI abandonment, my organization’s Radius server 
> > certificate expired and needed to be replaced. (We started to use our 
> > own Eduroam CA [1].) Therefore, all user devices needed to be updated.
> >
> > Unfortunately, it wasn’t smooth sailing in several cases. The 
> > institute specific cat.eduroam.org URL for our institute [2] is shared 
> > with the users, but my expectation, that the page contains all 
> > necessary information, is not met, and additional documentation in 
> > different languages has to be written. My institute instructions are 
> > at the end.
> >
> > If my expectation is not unreasonable, I see the following pain points 
> > with the Web page.
> >
> > 1.  The wording is confusing. For Android users it’s not clear, they 
> > need to install the “app” first. The small infobox is often overlooked.
>
> You must realize that we have a uniform design for downloads. Android is 
> a special case. The info box pops up and has the Continue button at the 
> bottom. If the users are not willing to read the info then I do not know 
> how we can make them by changing the layout. You can force the redirect 
> to a local page if you like to provide more detailed info. This can be 
> done for a specific device only.

The font is too small and there is too much text. If the uniform design 
doesn’t fit the requirements, it should be changed. For four or five 
different options it could be customized for each choice.

> > 2.  The instructions on the Web page also sound like, you get the 
> > program from the Web page, but it’s only a configuration file.
>
> The message says:
>
> "Before you proceed with installation on Android systems, please make 
> sure that you have installed the geteduroam application. This 
> application is available from these sites: Google Play, as local 
> download and will use the configuration file downloaded from CAT to 
> create all necessary settings."
>
> This gives clear instructions where to get the app from.

The font is too small in my opinion, and if you say, it should work with 
just with *geteduroam*, it should only be written to install the app 
without having to click on “Download your program …”.

> > > Laden Sie Ihr Installationsprogramm herunter für Chrome OS
> >
> > > Laden Sie Ihr Installationsprogramm herunter für Apple Gerät
> >
> > > Laden Sie Ihr Installationsprogramm herunter für Android 8 und höher
> >
> > The wording is confusing, as it’s a configuration file for the first 
> > two, and for Android users seem to have to install an App from the app 
> > store first, which is only shown in the infobox.
> One could argue that we should display the information about downloading 
> the app ABOVE the button, however I am quite sure that people would read 
> this even less. I believe that the popup draws more attention. To be 
> sure we would need to test this with actual users.

I can only share my experience.

In my opinion you only need:

Please install [geteduroam]() from your app store, and follow the 
instructions there. Should you be unable to find your organization in 
the app’s dialog, please try the [configuration file]() directly.

> > 3.  Looking at the information/details, there is no difference in the 
> > description (i symbol) of the two Android options.
> >
> >     > Android 8 und höher
> >     > Dies ist eine generische Konfigurationsdatei im IETF EAP Metadata -00 
> > XML Format.
> >
> >     > Android 4.3 bis 7
> >     > Dies ist eine generische Konfigurationsdatei im IETF EAP Metadata -00 
> > XML Format.
> This is of course on oversight that should be fixed - unfortunately all 
> texts need to go trough the translation process so it is difficult to 
> fix this in a moment.

I’d be happy to create an issue for that. Unfortunately, the page [1] 
does not contain a link to the issue tracker.

> > 4.  Due to the variety of Android versions, there are always users 
> > with phones where the procedure does not work, and need help from the 
> > IT staff.
> >
> > 5.  The information is hidden behind buttons, when clicked on opening 
> > a popup, which often contains only little text. This information 
> > should be directly and more prominently visible.
> I am not sure what you mean by this, could you be more specific?

Sorry, I meant “small”. Visit [1] on a desktop. There is a lot of 
unused, white space. But I have to click on the i-button, and then a 
pop-up with small text appears. No hover info, when hovering over the i 
button.

Clicking on the i-button, a popup with small text appears. I assume, it 
doesn’t fulfill accessibility requirements. There is no information, how 
to run the Python script, and I just tried on Debian 12 with GNOME, 
double clicking on the script in the file browser Nautilus opens the 
script in the text editor gedit.

By the way, pressing Esc does not close the box.

> > 6.  The download URL for files is not visible, hovering over the buttons.
> Again, could you provide some screens? On my devices the download links 
> are clearly visible in the download confirmation page.

```
<div class="button_wrapper">            <button name="linux" 
class="guess_os" id="g_linux" style="display: inline-block;"> 
  <div class="download_button_text_1" 
id="download_button_header_linux">eduroam</div></button>          </div>
```

has no link (href) besides the cursor changes. Users should not click on 
things, without knowing what is (probably) going to happen.

> > 7.  Back and forward buttons do not work, when switching the operating 
> > system, as it’s not separate pages.
> Correct. This is how we have designed it I suppose one could consider 
> implementing reactions to back and forward.

That’d be great.

> > 8.  The Web site does not offer to just show the configuration and to 
> > download the certificate for manual use.
> This would be against the very idea of CAT. Providing certificates and 
> instructions was how we were beginning with eduroam. CAT was made to 
> relieve users of this task. Only experienced users are capable of doing 
> the manual installation.

Why does it have to be either/or?

> > 9.  The Web site is not responsive, and therefore looks bad on a 
> > mobile device.
> I agree that responsiveness is not perfect but saying that the interface 
> is just not responsive seems an overstatement.

Maybe. I guess, one needs to define the term first.

> > 10.  My institute name is spelled differently in German and English, 
> > so sometimes it’s not found in the apps. Sometimes it’s not found at all.
> Stefan has already replied to that, and I suppose you have added both 
> names - I checked that searching does work correctly.

As written, that is our experience.

> > 11. Accessing the page 1.86 MB are transferred (1.17 MB for 
> > jquery.js). It takes over 500 ms to load.
> 0,5s does not seem to be a very long time to me. Also please remember 
> that a single user is going to use this page once for each device. One 
> important part of tuning is the download if the list of available 
> institutions. This is happening in the background. Normally the user 
> will open the page and probably hang for a few moments before moving on. 
> In this time the list is already available and appears instantly.

0.5 s was just for the jquery.js. The (organization) page takes 1.75 s 
in Mozilla Firefox 117.0a1 on a Dell Latitude E7250 from 2013.

I know, users probably don’t notice slow loading times of Web pages 
anymore, but I think it’s still important.

> > 12. According to PageSpeed Insights, it’s not fully accessible [3][4].
> >
> > As every second saved in setup time saves the user and the support 
> > staff time, for this many Eduroam users (millions?), it would be 
> > really great, if a new (static) Web site could be created.
>
> Do you really think that saving a few seconds per user is going to make 
> a change? Multiplying by millions makes this BIG but we re not serving 
> millions in our institutions.

The infrastructure is used by millions, isn’t it?

> And in fact this is another argument for the app approach, we are
> hearing that number of support cases drop drastically when people
> start using geteduroam.

As written, I have no experience, and do not know the reports you 
reference, so I can’t comment these reports. I can imagine, that 
compared to manual instructions it’s an improvement.

To summarize, I’d be really interested in the design document and survey 
results. My gut feeling says, the goal needs to be first to contact to 
the operating system vendors to reach the goal of just having to offer a 
configuration file, and the rest is done by the operating system. Only 
ChromeOS seems to have reached that state currently. According to you 
Apple seems to be close. So only Android, MS Windows and GNU/Linux (with 
NetworkManager) are missing.

I also asked Stefan, if there is already an issue in the Android bug 
tracker. It’d be great, if you could point me to it.

For GNU/Linux, NetworkManager is FLOSS, and instead of an app, it could 
be extended to support whatever configuration format you prefer.

That leaves Mircosoft Windows. If they are unresponsive, only an 
installer would need to be provided for that operating system.


Kind regards,

Paul


> > PS: Why is a script for Linux created instead of extending 
> > NetworkManager to support a configuration file? Users should not have 
> > to run random unverifiable scripts from the internet. I created a 
> > ticket for NetworkManager for ONC support [5].
> >
> >
> > [1]: https://github.com/buczek/eduroam-ca/
> > [2]: https://cat.eduroam.org/?idp=5807
> > [3]: 
> > https://pagespeed.web.dev/analysis/https-cat-eduroam-org/0hp5z32jx6?form_factor=mobile
> > [4]: 
> > https://pagespeed.web.dev/analysis/https-cat-eduroam-org/0hp5z32jx6?form_factor=desktop
> > [5]: 
> > https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/1348
> >      "No support for Open Network Configuration (ONC) configuration files 
> > (#1348)"
> >
> > PPS: Our instructions in the intranet (also translated to German):

[…]

PPPS: Just a note, that due to Sympa’s From rewriting your S/MIME 
signature is shown as invalid.