The Q/A was not about what changes from network setup to network setup, but about the world-wide default eduroam network settings of:
There cannot be a world-wide default for the CA certificate, as it isn't used for connecting to the eduroam network itself – it is for connecting to your institution's EAP server specifically. (In other words, the CA certificate setting belongs to the specific "outer authentication" method such as PEAP or EAP-TTLS that your institution uses. The TLS handshake happens inside PEAP/TTLS.)
The only global requirement is that the "anonymous identity" field (aka "outer identity") must be in user@domain
format, and the domain must match your home organization's domain – that's how eduroam routes the EAP requests towards the home organization.
(The eduroam network does not validate the outer username, however, so it's typical to specify [email protected]
or even just @the.domain
as the outer identity – hence "anonymous identity".)
The inner identity field, on the other hand, is completely invisible to the visited organization or to eduroam as a whole – it is sent encrypted within the EAP TLS tunnel to your home organization and validated there. Because of that, it cannot have a "world-wide default" format either; it's up to each organization to decide what it accepts.
There is a mistake in the entries of the settings above. As a Username, you have to enter your full email, not just the username. This was also in the guide, but can be misunderstood in the settings.
Some organizations accept usernames without a @domain suffix (typically if they use the same RADIUS servers for other purposes besides eduroam), while other organizations deliberately reject such usernames, as it almost always indicates that the user forgot to enter a @domain at all (i.e. their "outer/anon. identity" field is missing one as well, and such a configuration would stop working as soon as the user visited another organization). Generally you should always include the domain.
It is possible that either a) the guide was written by someone whose organization did not have a @domain requirement (at the time), or b) the guide was written with Eduroam CAT in mind, which adds the domain automatically.
If you enter these settings, you are asked for a CA (certificate authority) certificate, which is not listed in that guide (why not???).
Because many such guides date back to when WPA-EAP clients would default to no verification at all – i.e. it would still work without a CA specified; the UI wouldn't indicate anything about it being insecure; so specifying the correct CA was effort that most students wouldn't go through anyway.
Additionally, your home organization is using a public CA, so it's not very useful to specify it here anyway (as there's nothing that would prevent any other customer of that CA from using literally any random HTTPS certificate to perform a MITM attack).
What the tutorial should have suggested is using system CAs but specifying a domain to match against the EAP server's "leaf" certificate (similar to how the URL is matched against an HTTPS certificate). Unfortunately, the NetworkManager GUI in your screenshot is also old and doesn't offer this as an option – you would need to specify the domain through CLI. Eduroam CAT does this automatically though.