...
The security of your end-users' credentials (which often means: their institutional username and password) depends on the question whether they verify that they are telling the revealing their password only to their own IdP's RADIUS server or a whether they tell it to any random other server. Failure to verify the identity of the RADIUS server means that anyone can set up a fake RADIUS server, wait until your users connect to it, and log the passwords they used for this login.
...