Certificate Authority certificates must be stored in users' local certificate stores. This allows the user's supplicant to verify the authenticity of the certificate communicated to the supplicant at association/authentication time. This combined with connecting to eduroam at their home institution before traveling abroad for both testing/debugging as well as being presented the RADIUS server's certificate helps to mitigate the risk of Man-in-the-Middle Attacks.
For further information on the subject please see the FAQ entry on Validating Server Certificates with the Microsoft Windows Supplicant.