Unfortunately the proposed solution WPA Enterprise has its own set of pitfalls. Unless one opts for EAP-TLS, which is quite secure, some fun can be had with certain other EAP methods if implemented insecurely. It is especially inadvisable to use AD credentials and skip certificate validation or make it optional. For further research: https://github.com/opensecurityresearch/hostapd-wpe
Notice this does not setup certificate validation (and therefore does not authenticate the AP is actually from Cornell). It also tells you to use the completely broken MSCHAPV2 and login with credentials that allow access to a number of other university services.
So in this setup, not only can you still trivially impersonate a Cornell AP, all clients also give you their specific login credentials in a way that allows you to recover their passphrase.
It's true that it doesn't (and can't) authenticate that the AP is "actually from Cornell" and indeed that's the point of EduROAM.
But it will be talking to Cornell to authenticate you and so no you can't "recover their passphrase".
EduROAM is a global federation. So what's happening goes like this:
Let's say I'm a Cornell student
1. I follow these instructions, probably while on campus to make my, let's say, iPhone work with WiFi. My "NetID" is tialaramex for this example.
2a. Probably my phone automatically concludes that network-access.it.cornell.edu is really network-access.it.cornell.edu because it has a Web PKI cert that says so, just like on an HTTPS website.
2b. But if not I have a step where I tell the phone this certificate looks OK. This is effectively TOFU (Trust On First Use) because I'm a naive user which isn't great but it'll protect against many attacks later.
3. I go to the University of Sydney, in Australia, as an example.
4. My device sees an AP named "eduroam" because I'm at a university in a developed country and the Network Effect means it makes sense for all universities to join eduroam.
5. My device says "Hi I'm tialaramex@cornell.edu † let me in"
6. Sydney's AP talks to an Australian server which talks to Cornell, which agrees to talk to my device about this, over TLS
7. My device confirms that this TLS connection matches the certificate we saw earlier, or has a trusted certificate for network-access.it.cornell.edu
8. Using the risible MSCHAPv2 protocol (but happily inside TLS) my device proves I am really tialaramex@cornell.edu
9. Cornell tells Sydney that yup, I am an authorised Cornell network user, let me in.
10. I get the same privileges as a local Sydney student/ professor in terms of network access. If there's any problem (maybe I use 40GB in one day from PornHub) Sydney know which Cornell user I am and they can take it up with Cornell. In extremis they can "blacklist" me.
† It is possible to arrange that the local institution does not find out your "real" username at your home institution, since they don't need to know that in order to connect to the right authentication service. But mostly nobody cares.
You don’t have to set up a certificate because the university is using a public cert. My old uni configures their network the same exact way.
And the situation isn’t really all that dire because once you connect to the real university wireless once it will pop up a warning if another network with the same SSID appears but doesn’t present the cert.
