From what I understand:
EAP-TTLS forces the RADIUS server to identify itself to a client with a certificate, but optionally a client to the server. All information about an end-user is encrypted through a tunnel.
EAP-TLS forces the RADIUS server and the client to identify themselves with a certificate. The end-user's name is exposed in cleartext.
Assuming this is correct;
Is it possible to force a TTLS configuration to authenticate both sides? If so, does that not simply make it objectively better than TLS?
Is the fact that TLS exposes usernames incredibly relevant on a private network?
In general, which is more accepted as "the way to do it"?