EAP-TTLS/EAP-TLS with freeRADIUS

[Mr Dash Four]

I ma trying to set up freeRADIUS server implementing (wireless) user 
authentication (running wpa_supplicant) via AP (running hostapd).

After reading various howto's and documentation as well as looking at 
numerous sources on the Internet, I can't see a way in which the AP is 
authenticated to the RADIUS server by using only its certificate 
attributes (CN, Subject, Issuer etc) - it seems that freeRADIUS always 
needs some sort of "password" or "shared secret" specified.

Is it possible *not* to use this and rely solely on the 
strength/culpability (depending on the way one looks at it) of PKI? If 
so, how do I achieve that? A very simple configuration file example 
would suffice! In relation to that - another question: the rlm_eap text 
file (in the doc/ directory) distributed with the source code (I am 
using 2.1.12) states that "Currently Freeradius supports only 2 
EAP-Types (EAP-MD5, EAP-TLS)." (line 78). Is that so?

As for the actual EAP-TTLS/EAP-TLS authentication process I have another 
query - my understanding of the theory behind this method is that the 
authentication/authorisation process is done in two distinct phases - 
outer and inner authentication. This also allows for the use of two 
distinct sets of (client, server, ca) certificates to be specified in 
each phase. If that is so, how is this configured/specified in the 
eap.conf configuration file (or elsewhere)?

Many thanks!