The open network redirects to a custom captive portal (using HTTPS and a normal certificate issued by a CA) where users signed up and provided payment information.
After payment is complete, users are enabled in the RADIUS database, and can then reconnect to the WPA2-Enterprise SSID to get online.
We are perfectly willing to buy a certificate from Verisign, Thwarte, etc if it will help but have tried our Comodo wildcard SSL certificate which hasn't fixed it.These machines belong to the end users so we can't easily control settings with group policy or registry hacks.Not an ideal setup but your department will need to do the risk analysis.If you do go this route, make sure you document for CYA purposes.The generic settings below will allow you to configure a wireless device to connect to eduroam.
Not all the configuration settings will be available on all devices.
From a security standpoint the best option is setup a captive portal.
Students can use their BYOD devices to connect and reach the portal, pass their user authentication credentials to the portal and the portal can then talk to the RADIUS server.
Ideally they should then provide their network credentials at connection time and be seamlessly connected.
It appears that the Subject Alt Name entry of the certificate must be set to the DNS used to reach the radius server.
This is a classic bring-your-own-device network, think university halls of residence.