1. Eduroam
On the Pi, either go to cat.eduroam.org and then go through the process to find the appropriate Eduroam installer, or download the Linux script from wireless.le.ac.uk/setup/linux. The link says it's to download the certificate, but that isn't what's downloaded - what you get is a Python script.
2. Generating the certificate and wpa-supplicant file
Run the script (chmod +x first) and it asks for your username and password. You end up with a directory .cat_installer in your home directory, and this contains ca.pem and cat_installer.conf. The latter file contains your password in plain text, which is not a good thing.
3. Hash your password
echo -n your-actual-password | iconv -t utf16le | openssl md4 > pw.txt
4. Edit wpa_supplicant.conf
Edit /etc/wpa_supplicant/wpa_supplicant.conf and add the contents of ~/.cat_installer/cat_installer.conf. Replace the line
password="your-actual-password"
with the line
password=hash:1234567
Where 1234567 is the contents of the pw.txt file you created in step 3 (which will be a considerably longer hex number). No quotes. Now delete that file in ~/.cat_installer which has your plaintext password in it!
I moved the ca.pem file from step 2 to /etc/ssl/certs/leicester.pem, and edited the ca_cert line to reflect the new location and name of the certificate. I also made some other changes based on this site, and a bit of experimentation to see what worked. See below for the final version of the file.
5. Reboot
I now found that I was automatically connected to Eduroam, but DNS lookup wasn't working so I couldn't see websites. I checked the Eduroam settings on my phone, found the IP addresses of the DHCP servers that was using, and entered them on the Pi through the network settings (click on the wifi symbol, change the settings for the Eduroam SSID). The result was an /etc/resolv.conf file that looked like this:
# Generated by resolvconfdomain le.ac.uknameserver 143.210.12.158nameserver 143.210.12.159
I also had to set priorities for the two networks in wpa_supplicant.conf, because the Pi was sometimes connecting to the Cloud (free wifi) rather than Eduroam. I use the Cloud sometimes, but it's no good in headless mode because you have to finish the log in process using a browser (and lynx has stopped working for that). The final file looks like this, and the Pi is now reliably connecting to Eduroam without any further intervention (I often use a Pi Zero in serial gadget mode so a web browser is out of the question).
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev update_config=1 country=GB network={ ssid="_The Cloud" key_mgmt=NONE priority=10 } network={ ssid="eduroam" key_mgmt=WPA-EAP pairwise=CCMP eap=PEAP ca_cert="/etc/ssl/certs/leicester.pem" identity="nja@leicester.ac.uk" anonymous_identity="anonymous@le.ac.uk" password=hash:9911066b9816dc8dd0e82209ecc138a4 altsubject_match="DNS:radius.le.ac.uk;DNS:radius.le.ac.uk" phase2="auth=MSCHAPV2" priority=20 }