...
In the above example, a wifi access point is providing access to the 192.168.254.0/24 network. When a device (called a supplicant) attempts to connect to the wifi network, the wireless access point starts an EAP conversation with the supplicant over 802.1X, requesting it to supply credentials. The access point then connects to the authentication server (which, in the example above is also part of the 192.168.254.0/24 network) and sends the EAP response it received from the supplicant over the RADIUS protocol in a packet of type Access-Request as one of the attributes. The authentication server may wish to request the supplicant for more information, it may thus answer the wifi access point with a RADIUS packet of type Access-Challenge containing an EAP message to be forwarded to the supplicant. The wifi access point facilitates this conversation between authentication server and supplicant until the authentication server sends a RADIUS packet to the wifi access point which is of either type Access-Accept or Access-Reject. "@@@3"
EAP itself is an encapsulation protocol, inside it a variety of different protocols can be run to perform authentication. An authentication protocol can be encapsulated directly inside the EAP tunnel or an encryption protocol can be, inside which then, (at least in the cases of EAP-PEAP and EAP-TTLS) eventually another instance of the EAP protocol is encapsulated, inside which, finally, the actual authentication protocol is encapsulated. According to the comment in the mods-available/eap config file at the beginning of the 'ttls' section, the hierarchy with EAP-TTLS is RADIUS → EAP → TLS → Diameter (protocol comparable in scope to RADIUS) → again EAP → the actual protocol used for authentication). EAP-PEAP is a comparable encryption protocol , it is possible to use either that can be used instead of EAP-TTLS or EAP-PEAP. "@@@1" An example of an authentication protocol that can be used for the actual authentication is MSCHAPv2.
...