...

Parameters for Secure Device Configuration

The security of your end-users' credentials (which often means: their institutional username and password) depends on the question whether they verify that they are telling the password to their own IdP's RADIUS server or a random other server. Failure to verify the identity of the RADIUS server means that anyone can set up a fake RADIUS server, wait until your users connect to it, and log the passwords they used for this login.

eduroam Operations sometimes observes practices of eduroam IdPs who actively instruct their users to turn off server identity validation for "ease of use" sake. Such practices include "Uncheck the 'Verify Server Certificate' checkbox" or "when you are shown a certificate warning, just click Accept". We would like to note that such behaviour of IdPs is a breach of the eduroam policy; the instructions MUST include the proper verification of the server identity. In practice, this means:

The security-related public details that the public parts of your RADIUS infrastructure are communicated must be readily available to to end users, including at least:

...