The short answer is as follows: The supplicant (authentication client) on the eduroamer's computer creates an encrypted tunnel from her laptop all the way back to her home institution's RADIUS server, whether it is in the next room, or across an ocean. The only party privy to the contents of that tunnel are the eduroamer and their home institution. The home institution attempts to authenticate the eduroamer's credentials and replies, with either Accept or Reject, to the site from which the eduroamer is attempting to gain access. If the provided credentials are accepted by the eduroamer's home institutions then the local institution grants access to the eduroamer, and they are able to access the network as if they were a local users.
The long answer involves 802.11i, 802.1x, RADIUS, and EAP all working in concert.