A revision of EAP TLS that uses two phases: Setup a secure session by creating a tunnel from certificates stored on the server Authenticate the client’s credentials