ap_scan=1
network={
ssid="eduroam"
key_mgmt=WPA-EAP
eap=PEAP
identity="kthusername@kth.se"
password="NetworkSecret"
subject_match="/CN=radius-wpa-1.lan.kth.se"
phase2="auth=MSCHAPV2"
priority=17
}

When working it should look like:
# wpa_cli -i ethX status 
bssid=xx:xx:xx:xx:xx:xx
ssid=KTHOPEN-WPA
id=1
pairwise_cipher=CCMP
group_cipher=TKIP
key_mgmt=WPA2/IEEE 802.1X/EAP
wpa_state=COMPLETED
ip_address=130.237.2.XXX
Supplicant PAE state=AUTHENTICATED
suppPortStatus=Authorized
EAP state=SUCCESS
selectedMethod=25 (EAP-PEAP)
EAP TLS cipher=AES256-SHA
EAP-PEAPv0 Phase2 method=MSCHAPV2