In 802.11i, outer EAP authentication uses TLS.

In WPA2-Enterprise (802.11i) authentication runs through 802.1X, with EAP messages carried over EAPOL between the client and the server. When the EAP method used is TLS-based (such as EAP-TLS) or a tunneled method like PEAP or TTLS, a TLS handshake takes place as the outer part of the EAP dialogue. This outer TLS tunnel protects the credentials and authenticates both sides, and from this exchange a PMK (Pairwise Master Key) is derived. That PMK is then used in the subsequent 4-way handshake to establish the encryption keys for data traffic on the wireless link. So the outer EAP authentication uses TLS. If there’s an inner method inside a tunnel (in PEAP/TTLS, for example), that inner method handles the actual user credentials, while the TLS outer layer remains the protection for the exchange.