How does the supplicant connect to the auth server in EAP TTLS?

I understand that a tls has to be established between the supplicant (end user device) and the auth server but a few things are unclear :

  1. How does the supplicant know the ip adress of the auth server ?
  2. The supplicant is not granted access yet it has to communicate with tls, does that mean it is granted a temporary local ip address and only requests to the auth server are forwarded via usual NAT by the access point ?
  3. How does the supplicant authenticate the server ? If I were connecting to a website, I would chech the common name (and that the chain is correct up to a root CA certificate I have), but what would the supplicant check for in common name (subject) ?