TLS is most often used for two reasons. The client wants to insure that is communicating with the correct server, and that the communication between these two nodes is a secret. In vanilla (non-EAP) SSL/TLS you can still authenticate the client using a private key. However in practice it is difficult for a user to keep track of a private key (Usually a client is issued a smart card). Authenticating with a private key alone may not be appropriate for the situation.

However, lets say a corporation wants to authenticate its employees for access to its VPN or Wireless Network. Fundamentally this entity wants to control who has access to this transport layer (osi layer 4). A common use of TLS-EAP is that it allows an entity to use a Radius Authentication Server with an LDAP backend to authenticate its employees with a username a password. For added security the corporation could employe multi-facotor authentication, where an iris scan, a smart card with a private key and password is required. EAP, is the “Extensible Authentication Protocol” and you can choose what authentication system to use. Its not always stronger, there could be a vulnerability in the Radius server that allows the client to authenticate.

Hell if you write the code for it, you could use EAP-TLS to create some authentication system for your network involving a flair gun, smoke signals and a special handshake. From EAP-TLS’s perspective the means of authentication is totally arbitrary.