How does eduroam-US address SSL/TLS Man-in-the-Middle attacks against 802.1x and RADIUS proxies?
Certificate Authority certificates must be stored in users' local certificate stores. This allows the user's supplicant to verify the authenticity of the certificate communicated to the supplicant at association/authentication time. This combined with connecting to eduroam at their home institution before traveling abroad for both testing/debugging as well as being presented the RADIUS server's certificate helps to mitigate the risk of Man-in-the-Middle Attacks.
For further information on the subject please see the FAQ entry on Validating Server Certificates with the Microsoft Windows Supplicant.