No. You are saying that the supplicant should trust those root CA's for ALL authentication.
i.e. you have a certificate for "example.com", signed by Verisign. The supplicant is configured to trust the verisign-signed certificates, because that's what you have.
Now *anyone* who is issued a certificate from verisign can authenticate your users. If your users are using EAP-TTLS with PAP authentication, you've just convinced them to send their clear-text password to some random person on the Internet.
RADIUS certificates for EAP should ALMOST ALWAYS be self-signed. That means that no one else can successfully convince the users to send them the passwords.
I definitely second that. We keep telling our eduroam participants that well-known CAs are not only no plus, but instead MAY introduce insecurity (properly configured supplicants also check the CN in the certificate, which makes the risk go away; still, if a user forgets that, recognised CAs introduce a threat while self-signed ones don't). Either self-signed certs or at least dedicated CAs for the specific purpose of RADIUS Auth are the best practice. Some people which are in possession of a cert-store-present (read: browser-recognised) CA think it solves all problems whatsoever. They have a hard time laerning that it can actually be a hindrance, but it is a lesson everyone who is really concerned about security should learn at some point. Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: stefan.winter@restena.lu Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473