I hear you Wlanman. In most cases, the chicken/egg analogy is helpful, but it added confusion for me too. 802.1X/EAP is an interesting animal. Every time I read something about it I learn something new. In any case, Chris (Wilddev) is spot on. One subtle point to add...the EAP framework is designed so that the AS passes the keying material (derived from 802.1X/EAP auth) to the authenticator. The supplicant will have derived the same key during authentication, so the AS doesn't pass this material across the wireless medium to the supplicant. If the AS sent the keys to the supplicant, it would largely defeat the purpose of mutual authentication.