The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

["Waldrep, Jonathan" <address@concealed>]

Annie,

I'm not an eduroamCAT developer, but I am a Virginia Tech eduroam admin and daily driver of archlinux.

It looks like the python script for Linux is not distribution specific, but it does assume that if it can reach DBus, then it should configure NetworkManager (unless --iwd_conf or --wpa_conf is provided, more on that in a bit). Arch skews toward "the user should decide how they want to do things and set it up themselves" side of things. As such, many arch users (me included) may not have Network Manager installed at all. In these cases, the script is going to error out (traceback below for the devs).

It looks like it was intended to detect when NM is not present and prompt the user for if they want a wpa_supplicant config or iwd config, but that isn't working. Probably, your non-NetworkManager archlinux users want one of these. If they pass the --wpa_conf flag to the script, it will output the appropriate config to ~/.config/cat_installer/cat_installer.conf. It looks like --iwd_conf is intended to do the same for iwd, but it doesn't seem to be working. It just silently exits without writing a config.

In general, we've found the best way to help Linux users (especially Archlinux and other more manual distributions) is to say, "Your OS is not officially supported by our HelpDesk, but it should work with the right configuration. Here is the institution specific info you need." If you have a local Linux Users' Group, having some presence there goes a long way.

For your convenience, here is a sample SAIT iwd config, which would be installed at /var/lib/iwd/eduroam.8021x:

[General]

AutoConnect = true

[Security]

EAP-Method = PEAP

EAP-Identity = address@concealed

EAP-PEAP-CACert = embed:DigiCert_Global_Root_G2

EAP-PEAP-ServerDomainMask = wifiauth.sait.ca

EAP-PEAP-Phase2-Method = MSCHAPV2

EAP-PEAP-Phase2-Identity = address@concealed

EAP-PEAP-Phase2-Password = YourSAITComputerPassphrase

[@pem@DigiCert_Global_Root_G2]

-----BEGIN CERTIFICATE-----

MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh

MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3

d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH

MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT

MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j

b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG

9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI

2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx

1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ

q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz

tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ

vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP

BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV

5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY

1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4

NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG

Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91

8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe

pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl

MrY=

-----END CERTIFICATE-----

eduroamCAT devs,

As promised, here is the traceback for when the script is able to connect to DBus, but NM is not installed:

waldrep@silicon /tmp $ ./eduroam-linux-Virginia_Tech-eduroam.py

Traceback (most recent call last):

  File "/tmp/./eduroam-linux-Virginia_Tech-eduroam.py", line 1366, in <module>

    run_installer()

    ~~~~~~~~~~~~~^^

  File "/tmp/./eduroam-linux-Virginia_Tech-eduroam.py", line 230, in run_installer

    if config_tool.connect_to_nm() is None:

       ~~~~~~~~~~~~~~~~~~~~~~~~~^^

  File "/tmp/./eduroam-linux-Virginia_Tech-eduroam.py", line 1096, in connect_to_nm

    self.__check_nm_version()

    ~~~~~~~~~~~~~~~~~~~~~~~^^

  File "/tmp/./eduroam-linux-Virginia_Tech-eduroam.py", line 1148, in __check_nm_version

    if version_float >= 1.24:

       ^^^^^^^^^^^^^

UnboundLocalError: cannot access local variable 'version_float' where it is not associated with a value

I also noticed a few things that could be improved in the wpa_supplicant config, with varying degrees of importance. I'm using SAIT values as fillers for clarity.

Use domain_match="wifiauth.sait.ca" instead of altsubject_match="DNS:wifiauth.sait.ca". This way the domain can be matched against the SAN or the CN instead of just the SAN.

Use base64 blobs to inline the certificates. This avoids shipping a separate file for the CA and makes the config more portable. I've had some issues doing this with client certs (I'm pretty sure this is a wpa_suppliant bug), but it works fine for server certs.

Altogether, a sample SAIT wpa_supplicant.conf might look something like:

network={

        ssid="eduroam"

        key_mgmt=WPA-EAP

        pairwise=CCMP

        group=CCMP TKIP

        eap=PEAP

        ca_cert="blob://ca"

        identity="address@concealed"

        domain_match="wifiauth.sait.ca"

        phase2="auth=MSCHAPV2"

        password="networkpassphrase"

        anonymous_identity="address@concealed"

}

blob-base64-ca={

MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh

MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3

d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH

MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT

MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j

b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG

9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI

2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx

1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ

q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz

tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ

vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP

BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV

5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY

1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4

NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG

Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91

8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe

pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl

MrY=

}

There are other improvements we could make along the lines of WPA3 support and whatnot, but that's more about new features rather than getting the existing feature set working and is probably best handled in a different thread.

-- 

Jonathan Waldrep

---

From: address@concealed <address@concealed> on behalf of Annie Wang <address@concealed>
Sent: Tuesday, June 16, 2026 12:43 PM
To: address@concealed <address@concealed>
Subject: [[cat-users]] CAT Installation file for Arch Linux

 

Hello,

I hope you’re doing well.

We have students reported that the current Linux  installation file doesn't work for Arch Linux.  

I wonder if eduroam will develope a CAT installation file for Arch Linux.  

Looking forward to your response.

	Annie Wang Network Analyst Information Technology Services   Southern Alberta Institute of Technology E.H. Crandell Building, GA208 1301 – 16 Avenue NW, Calgary AB, T2M 0L4 (Office) 403.284.8498 aaddress@concealed
Oki, Âba wathtech, Danit’ada, Tawnshi, Hello. SAIT is located on the traditional territories of the Niitsitapi (Blackfoot) and the people of Treaty 7 which includes the Siksika, the Piikani, the Kainai, the Tsuut’ina and the Îyârhe Nakoda of Bearspaw, Chiniki and Goodstoney. We are situated in an area the Blackfoot tribes traditionally called Moh’kinsstis, where the Bow River meets the Elbow River. We now call it the city of Calgary, which is also home to the Métis Nation of Alberta.

 

 

To unsubscribe, send this message: mailto:address@concealed?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users