Which EAP method uses public key infrastructure with a digital certificate installed on both client and server?

Public key infrastructure with certificates on both ends is used to achieve mutual authentication through TLS. In this method, both the client and the server hold digital certificates issued by trusted authorities. During the TLS handshake inside the EAP exchange, each side proves its identity by presenting its certificate, and both verify the other's certificate using the PKI chain. This establishes a secure, encrypted channel before any credentials are exchanged, and it guarantees that both parties are who they claim to be.

Other EAP methods may rely on server certificates to secure a tunnel or use credentials inside a protected tunnel without requiring a client certificate at all, but they do not mandate certificates on both client and server. That is why this method—requiring a certificate on both sides and performing mutual authentication via TLS—is the one that uses PKI with a digital certificate installed on both client and server.