...
In the above example, a wifi router is providing access to the 192.168.254.0/24 network. When a device (called a supplicant) attempts to connect to the wifi network, the wireless router starts an EAP conversation with the supplicant over 802.1X, requesting it to supply credentials. The router then connects to the authentication server (which, in the example above is also part of the 192.168.254.0/24 network) and sends the EAP response it received from the supplicant over the RADIUS protocol in a packet of type Access-Request as one of the attributes. The authentication server may wish to request the client for more information, it may thus answer the wifi router with a RADIUS packet of type Access-Challenge containing an EAP message to be forwarded to the supplicant. The NAS facilitates this conversation between authentication server and supplicant until the authentication server sends a packet to the NAS which is of either type Access-Accept or Access-Reject. In At least some of the communication taking place within the EAP protocol is encrypted (according to the comment in mods-available/eap at line '@@@' the hierarchy is RADIUS → EAP → TLS → Diameter (protocol comparable in scope to RADIUS) → again EAP → the actual protocol used for authentication), in the case an encrypted authentication method is used, the data/attributes contained directly in the RADIUS conversation are unencrypted. The RADIUS conversation part is called the "Outer Tunnel", whereas the (Diameter?) conversation within the TLS encryption is called the "Inner Tunnel", data/attributes sent in this conversation are encrypted. In the case of an Access-Accept, the wifi router now allows the supplicant to join the network, or, in the case of Access-Reject, will not. Once the NAS has granted access, for 802.1X/RADIUS/authentication server, the job is done, and the supplicant becomes part of the 192.168.254.0/24 network's broadcast domain. The authentication server, can specify attributes in replying packet to give the NAS additional instructions, for example, it might request the NAS to place the newly connected supplicant in a specific VLAN, or it might specify for how long the supplicant is allowed to remain connected, or It can now initiate a DHCP request for an IP address or any other action as may be appropriate. The authentication server is able to log that the user connected along with information from attributes the NAS might have sent, generally this includes the MAC address of the supplicant, MAC address of the NAS, username (if authentication was done by username/password) and more depending on the NAS model.
...
By default, the 'default' and 'inner-tunnel' sites are enabled. One of them 'default' is the outer tunnel, it listens for incoming requests from the NASes, the other listens to requests forwarded by the 'default' site.........'inner-tunnel' receives requests tunneled in the TLS encryption over EAP over RADIUS, forwarded by the outer-tunnel.
Inner tunnel and outer tunnel sites
...