Hi Tim,
I have just read the following from the CWSP book:
Creates an Encrypted TLS Tunnel EAP protocols that require a server - side certifi cate for the authentication server are used to create Transport Layer Security (TLS) encryption tunnels. TLS is a cryptographic protocol normally used to provide secure communications at the Transport layer of the OSI model. However, in the case of 802.1X/EAP TLS technology is leveraged at Layer 2. Similar to a browser-based SSL session, the TLS protocol uses end-to-end encryption. Once the supplicant is sure of the identity of the authentication server, the supplicant then uses the certificate to establish an encrypted TLS tunnel. The supplicant identity credentials are then exchanged within the encrypted TLS tunnel. The supplicant identity, we have already learned, can come in many forms. Whatever form of identity that is passed by supplicant, it will be passed within the encrypted TLS tunnel. The TLS tunnel protects the supplicant credentials from offl ine dictionary attacks and from eavesdropping.
It seems the certificate public key is used to only encrypt the supplicant username and password, but not the subsequent data.
Thanks for recommending the CWSP book.
Regards,
Julián