...
During the EAP conversation, the eduroam IdP RADIUS server always needs to send its server certificate during the RADIUS/EAP conversation.
One question needs an administrative decision: if there is one or more intermediate CAs between the root CA and the server certificate (such as is the case with, for example, the TERENA Certificate Service (TCS) and many commercial CAs), should the intermediate CA certificates be sent to the end user device during the EAP conversation, or should the devices pre-install the intermediate CAs along with the root certificate?
...