802.1x Authentication Conversation

Here's how authentication works (Figure 6.3):

The supplicant (client) starts by sending an EAP Start frame. This lets the authenticator know that somebody's knocking and wants in. The authenticator replies with an EAP Request/Identity frame, which is like saying, “Who's there?” The supplicant replies with another EAP Request/Identity frame identifying themselves (i.e., a username). The authenticator forwards this information to the authentication server.

The authentication server then sends the authenticator an EAP-Request frame which contains some kind of challenge or request for credentials, such as asking for a password. The authenticator forwards the challenge to the supplicant who provides an appropriate response. The authenticator takes the response and forwards it to the authentication server.

Next, the authentication server evaluates the credentials and replies with an EAP-Success (or failure) frame to the authenticator. If an EAP-Success message is received, the authenticator will transition the controlled port from an unauthorized to an authorized state and normal network traffic will ensue.

As you can see, the supplicant and the authentication server never actually talk directly. All communication is intercepted and relayed by the authenticator. Once a client is authenticated, only then can it gain access to network resources.