The security of RADIUS does not only rely on the shared secret but rather the IP addresses of the servers configured to use that secret. A RADIUS server should not be configured to accept an authentication attempt from an unconfigured IP even using the correct RADIUS secret (please see the eduroam-US Best Pratices document in the Administrators Guide for more details). It is possible to spoof the source-address of a UDP packet but this should be mitigated by properly configured border and upstream routers which will drop addresses originating from incorrect networks. Moreover each instutition must take further local steps to prevent "rogue" users impersonating the local RADIUS server(s).
The use of RadSec mitigates any risk posed by shared secrets through the use of SSL/TLS certificates in place of RADIUS shared secrets, along with using TCP as the transport which makes spoofing more difficult. For more information on RadSec please see that section of the Administrator's Handbook.