Many of the same tools you have to address local users and security incidents are still available but "Blacklisting" of the users' MAC address is a common approach. One may be inclined to simply stop allowing eduroamers from an entire realm from joining to address a single user abusing the local network. In extreme circumstances this may be necessary and is a control applied at the RADIUS server itself.
In addition to traditional wireless access control mechanisms as described above, the eduroam-US team, along with others in the eduroam community are pursuing implemntation of the Chargable User Identity (CUI). This unique identifier will allow an administrator to correlate a specific remote user with their login attempts at home. An eduroam administrator who is dealing with such a problem can block the CUI locally and report the CUI back to the home institution. The home institution may then can block the user's account locally, seek to remediate the problem if it is caused by malware, and if necessary pursue disciplinary procedures.
The same community trust fabric that makes eduroam responsive to brute-force attempts against eduroam institutions makes it responsive to other security incidents within the network.