...
In the case an encrypted tunnel is used, the data/attributes contained directly in the RADIUS conversation are unencrypted. The RADIUS conversation part is called the "Outer Tunnel", whereas attributes sent '@@@' within the encrypted tunnel outside the encryption tunnel are called the outer tunnel. The encrypted conversation part is called the "Inner Tunnel", data/attributes sent in this conversation are encrypted. At the time of setting up the encrypted tunnel, the authentication server presents a certificate identifying itself which the supplicant may (and should) choose to verify before sending its login credentials to the server.
...