How should users Verify Certificates under Microsoft Windows XP, Vista, and 7?

To protect users from Man-in-the-Middle (MITM) attacks it is critical that an institution's certificate is signed by a well-known Certificate Authority (CA), which is shipped with every user's Operating System.  Such well known signing authorirites include Verisign, Thawte, Comodo, and many others.

If your RADIUS server's certificate is not signed by a CA which ships with standard operating systems then users must import the signing CA's certificate into their local key-store before connecting to eduroam so that the eduroam RADIUS server's certificate can be validated.

In the case of Microsoft Windows with EAP-PEAP, if the signing certificate is not in the Certificate Store then the connection will fail silently.  An administrator may want to uncheck the "Validate server certificates" checkbox on his own computer to use with a set of temporary credentials.  If authentications succeeds then there is likely an issue with the Certificates and/or the Certificate Store.  If it continues to fail then the problem is likely in another subsystem.  In this way turning off validation can help to identify a root-cause of a EAP-PEAP failure but will expose the admin to potential MITM attacks.  For this reason it is not a satisfactory solution for end-users.