In EAP-TLS, certificates are used to provide authentication in both directions.

Strong authentication is a key component of wireless LAN security because it prevents unauthorized users from gaining network access.
Wireless LAN protocols are also designed in such a way that bolstering the access control also makes it quite easy to shore up the encryption of traffic, to the point where deploying products to improve authentication will also provide greater privacy of the information traveling over the wireless LAN.
In practice, only methods based on the IETF's well-known Transport Layer Security (TLS) standard can satisfy strict encryption and authentication requirements.
Three TLS-based protocols have been developed for use with EAP and are suitable for deployments with wireless LANs: EAP-TLS uses a TLS handshake as the basis for authentication.
802.1x was initially developed for authentication of users on traditional wired LANs, and therefore did not require strong encryption.
Eavesdropping is certainly possible on wired networks, though it requires physical access to network equipment.
Part of the challenge to deploying 802.1x on a wireless network is to decide on the type of authentication that will be used.
The authentication method is the key decision to make in deploying a wireless network, since it will drive all the product choices you make.
The bottom line: EAP-TLS is secure, but the requirement for client certificates is too big a hurdle for most institutions to deal with.