If one doesn???¡é?¡é?????¡é???¡ét validate a server when using TTLS are the user credentials sent in the clear? In other words, does the TLS handshake still happen if the server and client aren???¡é?¡é?????¡é???¡ét set to validate?
Yes, the TTLS handshake will still occur. However, there is another issue.
What you are referring to is called mutual authentication. In short, it forces the client (supplicant) to verify that the RADIUS server is valid. If this isn't done, the supplicant will pass it's credential to ANY RADIUS server because it doesn't verify that it is the correct RADIUS server. A Wi-Fi highjacking attack and spoofed RADIUS server and a person can capture user credentials.
Take a look at these- the second link deals with PEAP but addresses similiar issues that GTHill mentions and no the EAP-TTLS does not expose the username/password in any clear text rather uses the outer, 1st phase derived tunnel from the server with a small hash key that then is used to produce the tunnel and sequential next phases which include the passing of client credentials. the username is sent inside the tunnel just like PEAP MSCHAPv2.
this is talking to the likes of GTHill's post: http://blog.airtightnetworks.com/wifish-finder/
Thank you for the reply and the link.