802.1X is a standard that is part of 802.1, it consists in access control to a network by allowing/blocking all packets at a given device's point of access into the network, including all broadcast packets, etc. It is possible on Wi-Fi, ethernet and possibly other mediums.
Upon connecting a device to an ethernet port on a switch or associating to a wireless SSID, the network switch or wifi access point (sometimes not necessarily very correctly referred to as wifi router) concerned will initially not allow any data to be transmitted/received by the device. It will request the connected device to identify itself and, upon approval of the supplied credentials by an authentication server, start accepting packets between the newly connected device and the rest of the network it serves, or continue dis-allowing, in the case the authentication server did not approve the credentials.
802.1X defines how EAP messages are transmitted over an IEEE 802 network (e.g. ethernet, wifi).
RADIUS is a protocol to exchange information between an authenticator (also known as NAS (Network Access Server)) (see above picture) and an Authentication server. Each packet has a packet type, and contains multiple ValueName-Value attributes with relevant information as may be the case. By default, it operates on UDP port 1812. A well known RADIUS server software is called FreeRADIUS.
In the above example, a wifi access point is providing access to the 192.168.254.0/24 network. When a device (called a supplicant) attempts to connect to the wifi network, the wireless access point starts an EAP conversation with the supplicant over 802.1X, requesting it to supply credentials. The access point then connects to the authentication server (which, in the example above is also part of the 192.168.254.0/24 network) and sends the EAP response it received from the supplicant over the RADIUS protocol in a packet of type Access-Request. The authentication server may wish to request the supplicant for more information, it may thus answer the wifi access point with a RADIUS packet of type Access-Challenge containing an EAP message to be forwarded to the supplicant. The wifi access point facilitates this conversation between authentication server and supplicant until the authentication server sends a RADIUS packet to the wifi access point which is of either type Access-Accept or Access-Reject.
EAP itself is an encapsulation protocol, inside it a variety of different protocols can be run to perform authentication. An authentication protocol can be encapsulated directly inside the EAP tunnel or an encryption protocol can be, inside which then, (at least in the cases of EAP-PEAP and EAP-TTLS) eventually another instance of the EAP protocol is encapsulated, inside which, finally, the actual authentication protocol is encapsulated. According to the comment in the mods-available/eap config file at the beginning of the 'ttls' section, the hierarchy with EAP-TTLS is RADIUS → EAP → TLS → Diameter (protocol comparable in scope to RADIUS) → again EAP → the actual protocol used for authentication). EAP-PEAP is a comparable encryption protocol that can be used instead of EAP-TTLS. An example of an authentication protocol that can be used for the actual authentication is MSCHAPv2.
In the case an encrypted tunnel is used, the conversation outside the encrypted tunnel is called the outer tunnel. The conversation within the encrypted tunnel is called the "Inner Tunnel". At the time of setting up the encrypted tunnel, the authentication server presents a certificate identifying itself which the supplicant may (and should) choose to verify before sending its login credentials to the server.
In the case of an Access-Accept, the wifi access point now allows the supplicant to join the network, or, in the case of Access-Reject, will not. Once the NAS has granted access, for 802.1X/RADIUS/authentication server, the job is done, and the supplicant becomes part of the 192.168.254.0/24 network's broadcast domain. The authentication server can specify attributes in the replying packet to give the NAS additional instructions, for example, it might request the NAS to place the newly connected supplicant in a specific VLAN, or it might specify for how long the supplicant is allowed to remain connected. The authentication server is able to log that the user connected along with information from attributes the NAS might have sent, generally this includes the MAC address of the supplicant, MAC address of the NAS, username (if authentication was done by username/password) and more depending on the NAS model. The supplicant can now initiate a DHCP request for an IP address or any other action as may be appropriate.
EAP and RADIUS have support for a great variety of features or different methods that can be encapsulated there-in to perform authentication (e.g. it is possible to use different protocols that authenticate the user using a username and password, or using client certificates, or even SIM cards), but it is still up to the supplicant, NAS and authentication server implementations to choose which ones they support or not (even different NASes have been seen to send MAC addresses in different format, e.g. TP-Link Archer C20 sends 01-23-45-67-89-AB, while TP-Link TD-W8968 sends 0123456789ab. TP-Link TL-WR740N, in the case of the NAS MAC address, sends 01-23-45-67-89-AB:SSID, where SSID is the configured wireless SSID).
FreeRADIUS configuration files are many. They are located in /etc/freeradius/3.0 on Debian systems. Apparently, many other environments use a slightly different location. Most of them contain plenty of comments explaining what the configuration does and advice and warnings, but some understanding of the protocols, or getting used to, is often necessary to understand them. The FreeRADIUS technical guide (link in "Support / Knowledge places" section) describes them in more detail along with more useful information. Here is a brief look at some of the configuration files/folders:
clients.conf - List of clients that will be connecting to the FreeRADIUS server, including their IP addresses and passwords that they will use to authenticate to FreeRADIUS. What is called a FreeRADIUS client is a NAS, not a supplicant. Supplicants do not speak directly to RADIUS servers.
mods-available - Folder containing config files of modules that can be used with FreeRADIUS
mods-enabled - Folder containing symlinks to files in the mods-available folder, for modules that should be enabled
mods-config - Folder containing more config related to modules and things like, e.g. .sql files containing empty schemas for initial creation of databases for use with the sql module
certs - Folder containing certificates usable by FreeRADIUS and respective configuration files/makefile/etc. needed to generate them
sites-available - "Sites" that can be served by FreeRADIUS.
sites-enabled - Folder containing symlinks to files in the sites-available folder, for sites that should be enabled
mods-available/eap - Configuration file for EAP module
users - In the default configuration, a text file based user database
By default, the 'default' and 'inner-tunnel' sites are enabled. 'default' is the outer tunnel, it listens for incoming requests from the NASes, 'inner-tunnel' receives requests forwarded by the outer-tunnel site containing the data from the inner tunnel.
The site files contain multiple sections, here are some of them:
authorize - This section lists modules/code that are run when a request is received, in preparation for authentication. One of the important tasks is to find out which authentication method/protocol the supplicant is trying to use and which FreeRADIUS module is appropriate to deal with it. When one of the listed modules finds that it is able to deal with the request, it informs FreeRADIUS. Another important task is to load in memory information that might be needed for authentication. For example, the sql module loads the relevant credentials from the SQL database so that the appropriate authentication module that later runs in the authenticate section can access them in order to compare them with what the supplicant sent.
authenticate - After the authorize section ran, this section takes care of the actual authentication. In here modules are called that assess the information made available to them and answer in regards of what action should be taken.
post-auth - After it has been determined what action should be taken, this section is run in case authentication succeeded, otherwise the Post-Auth-Type Reject subsection in case authentication failed. This sections take care of any extra tasks required to be carried out, for example logging, and can also add/modify attributes to be sent back to the NAS as part of the reply packet.
The RADIUS protocol also includes the possibility for the authentication server to initiate a connection to the NAS and inform it to disconnect a currently logged in user, but again, this has not been investigated much as it seems to be not supported by the NASes we have, and presumably is not on any NAS in the price range.
A lot of documentation regarding FreeRADIUS and many modules, and some examples, can be found on the FreeRADIUS wiki:
FreeRADIUS technical guide:
https://networkradius.com/doc/FreeRADIUS%20Technical%20Guide.pdf
A lot more useful information can be found on the FreeRADIUS mailing list:
https://wiki.freeradius.org/guide/Users-Mailing-List
http://lists.freeradius.org/mailman/listinfo/freeradius-users
It is stressed in the FreeRADIUS wiki to only follow documentation from the official wiki, as third party documentation is often outdated and/or incorrect.
Another good site (linked to in FreeRADIUS wiki):
Page with information on finding documentation / support:
https://freeradius.org/documentation/
https://en.wikipedia.org/wiki/IEEE_802.1X
https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol
https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#PEAP
https://en.wikipedia.org/wiki/Diameter_(protocol)
https://wiki.freeradius.org/guide/Basic-configuration-HOWTO
https://wiki.freeradius.org/guide/SQL-HOWTO-for-freeradius-3.x-on-Debian-Ubuntu
https://wiki.freeradius.org/modules/Rlm_python
https://wiki.freeradius.org/config/Certificates
http://deployingradius.com/documents/configuration/certificates.html
http://deployingradius.com/documents/protocols/compatibility.html
https://www.cwnp.com/uploads/802-11i_key_management.pdf