The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Paetow <address@concealed>]

Hi Eric,

 

To echo Daniele, using eduroam CAT to set up a profile and directing your users to it (or rather, to geteduroam, which uses it), will certainly resolve many issues that users generally end up having. You don’t need to write (or make) complicated (video) guides to tell people how to set up their device. If you only use one domain (for example ‘uwosh.edu’), then you can set up *one* profile, set the ‘Enforce realm’ option and the ‘Enforce exact realm’ option, which forces all your users to add ‘@uwosh.edu’ to the username. If you use multiple domains (‘uwosh.edu’ and ‘students.uwosh.edu’ for example), I would set up multiple profiles and clearly mark them (i.e. ‘Staff’, ‘Students’ …) and set the two options again. Some orgs choose to just use one profile and then leave the ‘Enforce exact realm’ option unselected (so as long as the username ends with ‘uwosh.edu’ it would be ok, but could allow users to try other subdomains).

 

Given that realm-less usernames are arguably the biggest issue we often face in the UK, this takes much of the pain away. Of course, making sure that the certificate chain is correct, that the root CA cert in the profile is correct, and that the CN name (that’s the CN in the server *cert*, not the server name(s)) is accurate is fundamental in getting it right.

 

Geteduroam also ties into the Let’s Wi-Fi portal, so when you switch to EAP-TLS through that, your flow for your users does not change other than them having to log into the portal (via the app) with their university-provided Shibboleth/InCommon ID.

 

There will be the inevitable question from users as to why they should use an app to get access to Wi-Fi (it’s a valid question), but the primary reasons are consistency in setting up the connection (and the enforcement of correct username, trusted certificate and trusted server name), and when you switch to EAP-TLS, advance warning of the certificate expiring, which a manually-set-up connection wouldn’t give you.

 

I hope this helps.

 

Kind regards

 

Stefan Paetow

Federated Roaming Technical Specialist

eduroam(UK), Jisc

 

email/teams: address@concealed

gpg: 0x3FCE5142

 

For eduroam support, please contact the eduroam team via address@concealed and mark it for eduroam’s attention.

I am not available on Mondays and Fridays between 12:00 and 15:00 London time (UTC in winter, UTC+0100 in summer).

 

Note: I don’t expect a reply outside of your working hours, since I work internationally with colleagues in different nationalities with different religions, customs, and holidays. Reply when it is convenient for you.

 

Jisc is a registered charity (in England and Wales under charity number 1149740; in Scotland under charity number SC053607) and a company limited by guarantee registered in England under company number 05747339, VAT number GB 197 0632 86. Jisc's registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800.

 

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 02881024, VAT number GB 197 0632 86. The registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800.

 

For more details on how Jisc handles your data see our privacy notice here: https://www.jisc.ac.uk/website/privacy-notice

 

 

From: <address@concealed> on behalf of "ALBRIZIO DANIELE (via cat-users Mailing List)" <address@concealed>
Reply to: ALBRIZIO DANIELE <address@concealed>
Date: Tuesday, 10 February 2026 at 09:04
To: "address@concealed" <address@concealed>, "address@concealed" <address@concealed>
Subject: Re: [[cat-users]] Help understanding eduroam cat tools - University of Wisconsin - Oshkosh

 

Some people in this list more qualified than me should give you a better answer. 

 

For what is my experience it won't effect your current eap-peap/mschapv2 environment for eduroam.

 

At least in the testing phase, but maybe also further on.

 

In  my experience CAT helped me to adapt my eap-peap/mschapv2 environment to a more straightforward and secure configuration for my users while we are evaluating the migration to let's wifi.

 

On Mon, 2026-02-09 at 19:24 +0000, Eric Berg wrote:

Hello,

 

I'm reaching out to get a better understanding if my environment can leverage eduroam cat tools for our faculty/student byod devices to use eap-tls certificate based authentication?

 

It sounds like we would need to enter our organization into eduroam CAT which we would like to do to test things out if it won't effect our current eap-peap/mschapv2 environment for eduroam.

 

Please let me know your thoughts on this and I will continue to review guide to eduroam CAT for idP administrators to try to get a better understanding.

 

https://wiki.geant.org/spaces/H2eduroam/pages/121346267/A+guide+to+eduroam+CAT+for+IdP+administrators

 

Thank you,

 

 

To unsubscribe, send this message: mailto:address@concealed?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

 

-- 

 

---

Daniele Albrizio

Ufficio Reti e Telefonia | Networks and Telephony Office
Università degli Studi di Trieste | University of Trieste
Via Alfonso Valerio 12 - 34127 Trieste (Italy)
address@concealed
Tel. | Ph. +39 040 558 3319

Ufficio Reti e Telefonia | Networks and Telephony Office
Tel. | Ph. +39 040 558 3331