Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] CAT Installation file for Arch Linux

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] CAT Installation file for Arch Linux

Chronological Thread  
    < Chronological >       < Thread >
  • From: Tomasz Wolniewicz <address@concealed>
  • To: "Waldrep, Jonathan" <address@concealed>, Annie Wang <address@concealed>
  • Cc: "address@concealed" <address@concealed>
  • Subject: Re: [[cat-users]] CAT Installation file for Arch Linux
  • Date: Wed, 24 Jun 2026 11:15:44 +0200

Hi Jonathan,

  thank you very much for your input. Indeed the script was supposed to react to NM not being available and provide the possibility to generate the wpa_supplicant config in such a situation. I will check why this is not working.


  I wonder - did you try to use the geteduroam app for Linux? It is meant to be w replacement for the CAT installers in future. It uses information form CAT but then does things it's own way. I have never tried this on Arch Linux.


Indeed Arch Linux always was a problem since it is hard to guess what users would have installed. I always considered these users to be experienced enough to install eduroam correctly given some basic info for their local support (server name, CA root cert).


I will go trough your suggestions, try to implement something and will be in touch.


Yours

Tomasz Wolniewicz




W dniu 24.06.2026 o 03:38, "Waldrep, Jonathan" (via cat-users Mailing List) pisze:
Annie, I'm not an eduroamCAT developer, but I am a Virginia Tech eduroam admin and daily driver of archlinux.
It looks like the python script for Linux is not distribution specific, but it does assume that if it can reach DBus, then it should configure NetworkManager (unless --iwd_conf or --wpa_conf is provided, more on that in a bit). Arch skews toward "the user should decide how they want to do things and set it up themselves" side of things. As such, many arch users (me included) may not have Network Manager installed at all. In these cases, the script is going to error out (traceback below for the devs).
It looks like it was intended to detect when NM is not present and prompt the user for if they want a wpa_supplicant config or iwd config, but that isn't working. Probably, your non-NetworkManager archlinux users want one of these. If they pass the --wpa_conf flag to the script, it will output the appropriate config to ~/.config/cat_installer/cat_installer.conf. It looks like --iwd_conf is intended to do the same for iwd, but it doesn't seem to be working. It just silently exits without writing a config.
In general, we've found the best way to help Linux users (especially Archlinux and other more manual distributions) is to say, "Your OS is not officially supported by our HelpDesk, but it should work with the right configuration. Here is the institution specific info you need." If you have a local Linux Users' Group, having some presence there goes a long way.

For your convenience, here is a sample SAIT iwd config, which would be installed at /var/lib/iwd/eduroam.8021x:
[General] AutoConnect = true
[Security] EAP-Method = PEAP EAP-Identity = address@concealed EAP-PEAP-CACert = embed:DigiCert_Global_Root_G2 EAP-PEAP-ServerDomainMask = wifiauth.sait.ca EAP-PEAP-Phase2-Method = MSCHAPV2 EAP-PEAP-Phase2-Identity = address@concealed EAP-PEAP-Phase2-Password = YourSAITComputerPassphrase
[@pem@DigiCert_Global_Root_G2] -----BEGIN CERTIFICATE----- MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI 2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx 1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV 5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY 1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4 NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91 8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl MrY= -----END CERTIFICATE-----
eduroamCAT devs, As promised, here is the traceback for when the script is able to connect to DBus, but NM is not installed:
waldrep@silicon /tmp $ ./eduroam-linux-Virginia_Tech-eduroam.py Traceback (most recent call last):   File "/tmp/./eduroam-linux-Virginia_Tech-eduroam.py", line 1366, in <module>     run_installer()     ~~~~~~~~~~~~~^^   File "/tmp/./eduroam-linux-Virginia_Tech-eduroam.py", line 230, in run_installer     if config_tool.connect_to_nm() is None:        ~~~~~~~~~~~~~~~~~~~~~~~~~^^   File "/tmp/./eduroam-linux-Virginia_Tech-eduroam.py", line 1096, in connect_to_nm     self.__check_nm_version()     ~~~~~~~~~~~~~~~~~~~~~~~^^   File "/tmp/./eduroam-linux-Virginia_Tech-eduroam.py", line 1148, in __check_nm_version     if version_float >= 1.24:        ^^^^^^^^^^^^^ UnboundLocalError: cannot access local variable 'version_float' where it is not associated with a value
I also noticed a few things that could be improved in the wpa_supplicant config, with varying degrees of importance. I'm using SAIT values as fillers for clarity.
Use domain_match="wifiauth.sait.ca" instead of altsubject_match="DNS:wifiauth.sait.ca". This way the domain can be matched against the SAN or the CN instead of just the SAN. Use base64 blobs to inline the certificates. This avoids shipping a separate file for the CA and makes the config more portable. I've had some issues doing this with client certs (I'm pretty sure this is a wpa_suppliant bug), but it works fine for server certs.
Altogether, a sample SAIT wpa_supplicant.conf might look something like:
network={
        ssid="eduroam"         key_mgmt=WPA-EAP         pairwise=CCMP         group=CCMP TKIP         eap=PEAP         ca_cert="blob://ca"         identity="address@concealed"         domain_match="wifiauth.sait.ca"         phase2="auth=MSCHAPV2"         password="networkpassphrase"         anonymous_identity="address@concealed" }
blob-base64-ca={ MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI 2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx 1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV 5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY 1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4 NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91 8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl MrY= }
There are other improvements we could make along the lines of WPA3 support and whatnot, but that's more about new features rather than getting the existing feature set working and is probably best handled in a different thread.
-- 
Jonathan Waldrep
From: address@concealed <address@concealed> on behalf of Annie Wang <address@concealed>
Sent: Tuesday, June 16, 2026 12:43 PM
To: address@concealed <address@concealed>
Subject: [[cat-users]] CAT Installation file for Arch Linux
 
Hello,

I hope you’re doing well.
We have students reported that the current Linux  installation file doesn't work for Arch Linux.  
I wonder if eduroam will develope a CAT installation file for Arch Linux.  
Looking forward to your response.


Annie Wang Network Analyst Information Technology Services   Southern Alberta Institute of Technology E.H. Crandell Building, GA208 1301 – 16 Avenue NW, Calgary AB, T2M 0L4 (Office) 403.284.8498 aaddress@concealed     Oki, Âba wathtech, Danit’ada, Tawnshi, Hello. SAIT is located on the traditional territories of the Niitsitapi (Blackfoot) and the people of Treaty 7 which includes the Siksika, the Piikani, the Kainai, the Tsuut’ina and the Îyârhe Nakoda of Bearspaw, Chiniki and Goodstoney. We are situated in an area the Blackfoot tribes traditionally called Moh’kinsstis, where the Bow River meets the Elbow River. We now call it the city of Calgary, which is also home to the Métis Nation of Alberta.     To unsubscribe, send this message: mailto:address@concealed?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users To unsubscribe, send this message: mailto:address@concealed?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users 
-- 
Tomasz Wolniewicz

PNG image

PNG image

Attachment: smime.p7s
Description: Kryptograficzna sygnatura S/MIME


Archive powered by MHonArc 2.6.24.

Top of Page