...
EAP itself is an encapsulation protocol, inside it a variety of different protocols can be run to perform authentication. An authentication protocol can be encapsulated directly inside the EAP tunnel or an encryption protocol can be, inside which then, (at least in the cases of EAP-PEAP and EAP-TTLS) eventually another instance of the EAP protocol is encapsulated, inside which, finally, the actually authentication protocol is encapsulated. According to the comment in mods-available/eap at the beginning of the 'ttls' section, the hierarchy with EAP-TTLS is RADIUS → EAP → TLS → Diameter (protocol comparable in scope to RADIUS) → again EAP → the actual protocol used for authentication). EAP-PEAP is similar in functionality. An example of an authentication protocol that can be used for the actual authentication is MSCHAPv2.
In the case an encrypted tunnel is used, the data/attributes contained directly in the RADIUS conversation are unencrypted. The RADIUS conversation part is called the "Outer Tunnel", whereas the (Diameter?) conversation within the TLS encryption is called the "Inner Tunnel", data/attributes sent in this conversation are encrypted. At the time of setting up the encrypted tunnel, the authentication server presents a certificate identifying itself which the supplicant may (and should) choose to verify before sending its login credentials to the server.
...