...
In the case an encrypted tunnel is used, the data/attributes contained conversation outside the encryption tunnel are is called the outer tunnel. The conversation within the encrypted conversation part tunnel is called the "Inner Tunnel". At the time of setting up the encrypted tunnel, the authentication server presents a certificate identifying itself which the supplicant may (and should) choose to verify before sending its login credentials to the server.
...
By default, the 'default' and 'inner-tunnel' sites are enabled. 'default' is the outer tunnel, it listens for incoming requests from the NASes, 'inner-tunnel' receives requests tunneled in the TLS encryption over EAP over RADIUS, forwarded by the outer-tunnel site containing the data from the inner tunnel.
The site files contain multiple sections, here are some of them:
...