...
- the installation of the CA certificate of your EAP server certificate
- the configuration of the name (CN) of the EAP server certificate (verification of this detail can be omitted ONLY if the Certification Authority exclusively issues server certificates to your own eduroam EAP servers)
- the EAP type to use
We understand that there is a temptation to use some devices with half-baked support for IEEE 802.1X and EAP, where half-baked means they either don't support server certificate validation at all or only in a suboptimal way (e.g. only CA check, no server name validation; or only validation of a certificate fingerprint without certificate chain check). Due to its popularity, we explicitly name Android at this point - it does not allow to configure the expected server name. You may want to support such devices as best as you can, but be aware that you are may be putting your own users and their credentials at risk when doing so. In Android's case, a secure configuration is only possible if you deploy a private CA which issues server certificates exclusively to your own eduroam EAP servers.
In the compatibility matrix, devices with known deficiencies are marked as such.
...