In general you want to combine case 1 and case 2. So that if the user
has no ticket you get one, then you use that to get a ticket for the
accesspoint. You certainly never want to give the access point or EAP
server the password.
I'd recommend talking to Derek Atkins about your proposal.
Kerberos mailing list [email]Kerberos@mit.edu[/email]