EAP-TLS 802.1x & security related questions

[Benoit]

Hi,

I spent 2x entire days working with hostap and I am able now to make lot 
of things working as I would like..
First time I am creating a PKI infrastructure so I am still learning on 
this side.

My first question is "conceptual" regarding encryption in case of 
EAP-TLS / 802.11x:
No issue regarding how authentication works with certificates, it is 
more on the encryption where it uses CCMP but I am wondering which 
method is used as it is not using a PSK anymore, what is used to encrypt 
message for CCMP? Encrypted by certificates and dynamics keys on each side?

Just to double check that:
wpa_key_mgmt=WPA-EAP
wpa=2
wpa_pairwise=CCMP
rsn_pairwise=CCMP
ieee8021x=1

is correct configuration? Is wpa=2 still needed? (I guess yes to use CCMP)


My second question is regarding enforcing security as much as I can, I 
am using:
macaddr_acl=1
auth_algs=1
eapol_version=2
check_crl=2
ieee80211w=2
wpa_key_mgmt=WPA-EAP-SHA256

Regarding the last option (WPA-EAP-SHA256) I don't understand exactly 
where (ciphers?algorithm?) SHA256 is used? I am confused and don't see 
where this is applied and used in the different security mechanisms...

I have generated a bigger DH parameter file and use the dh_file option 
but I don't think it is used when I am analyzing it through a packet 
capture..any idea why?
Any other thing I can think about to get the "best secured" system?

A huge thanks for your help :)

belette