With EAP TTLS the client challenges a server for identity using a certificate and then the server challenges the client using a certificate before sending user authentications.
This form of security is very strong but requires loading certificates on all computers trying to log onto the network in this manner.
Another form which is slightly less tedious is PEAP. With this only the client challenges the server for it’s identify before sending credentials like username and password. In any case only the server would need a certificate installed. FYI the radius server is smart enough to know what authentication type to use while the encryption method is usually hardware or software dependent on the Access Point being used.
Does this satisfy your question?