In general you want to combine case 1 and case 2. So that if the user has no ticket you get one, then you use that to get a ticket for the accesspoint. You certainly never want to give the access point or EAP server the password. I'd recommend talking to Derek Atkins about your proposal.