...
In the case an encrypted tunnel is used, the conversation outside the encrypted tunnel is called the outer tunnel. The conversation within the encrypted tunnel is called the "Inner Tunnel". At the time of setting up the encrypted tunnel, the authentication server presents a certificate identifying itself which the supplicant may (and should) choose to verify before sending its login credentials to the server. "@@@1"
In the case of an Access-Accept, the wifi access point now allows the supplicant to join the network, or, in the case of Access-Reject, will not. Once the NAS has granted access, for 802.1X/RADIUS/authentication server, the job is done, and the supplicant becomes part of the 192.168.254.0/24 network's broadcast domain. The authentication server can specify attributes in the replying packet to give the NAS additional instructions, for example, it might request the NAS to place the newly connected supplicant in a specific VLAN, or it might specify for how long the supplicant is allowed to remain connected. The authentication server is able to log that the user connected along with information from attributes the NAS might have sent, generally this includes the MAC address of the supplicant, MAC address of the NAS, username (if authentication was done by username/password) and more depending on the NAS model. The supplicant can now initiate a DHCP request for an IP address or any other action as may be appropriate.
...