eduroam's EAP authentication is secured using X.509 certificates — the same sort of security certificates you use for websites. However, unlike a web server, you shouldn't necessarily rush out and buy a certificate for eduroam…
There are a few ways to create a security certificate you can use for your eduroam RADIUS server, each with the relative pros and cons. You can either use a commercially signed certificate, one signed by an internal CA (e.g. by Active Directory Certificate Services), or use a long-lived self-signed one. The first of these is probably the easiest to do but comes with some security considerations; the last is generally considered best for security but has the additional problem of on-boarding a certificate onto users' devices.
Our recommendation for new deployments is as follows:
GÉANT (who maintain the global eduroam infrastructure) has published a useful guide on the various options available, and their relative pros and cons as part of their campus best practices project.
You'll note that there are several mentioned of eduroam CAT above. This is because eduroam CAT generates customised installers for all major operating systems, allowing your users to configure eduroam correctly by simply running an installer. CAT automatically configures the correct security settings for your users, and is the easiest way to onboard your certificates onto user devices.
It is absolutely critical that your users validate the security certificate used for eduroam. This is typically done automatically by their operating system, and eduroam CAT will set things up correctly without your users having to know anything about the process. Without CAT, users may be prompted to check the certificate the first time they connect, and you should publish details of the correct certificate so your users know what to look for.
We've seen a few institutions recommend disabling certificate validation to work around the problem of onboarding a certificate, or to continue using an expired certificate. This is the wrong approach and puts the security of your users' accounts at risk (and thus all the personal and other information they contain). Without certificate validation, a malicious attacker can conduct a man-in-the-middle attack against your users and decrypt their username and password from inside the EAP conversation.
Our monitoring system will let you know if your certificate is about to expire.