In general you want to combine case 1 and case 2. So that if the user
has no ticket you get one, then you use that to get a ticket for the
accesspoint. You certainly never want to give the access point or EAP
server the password.

I'd recommend talking to Derek Atkins about your proposal.

Kerberos mailing list