The roadwarriors carol and dave set up a connection each to gateway moon. At the outset the gateway authenticates itself to the client by sending an IKEv2 digital signature accompanied by an X.509 certificate.
Next carol and dave et up an EAP-TTLS tunnel each via gateway moon to the RADIUS server alice authenticated by an X.509 AAA certificate. The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on EAP-MD5. carol presents the correct MD5 password and succeeds whereas dave chooses the wrong password and fails.