Introducing 802.1X Authentication and RADIUS Servers
The authentication method used to verify the user (and server) credentials on WPA/WPA2-Enterprise networks is defined in the IEEE 802.1X standard. This requires an external server called a Remote Authentication Dial In User Service (RADIUS) or Authentication, Authorization, and Accounting (AAA) server, which is used for a variety of network protocols and environments including ISPs.
A RADIUS server understands the Extensible Authentication Protocol (EAP) language and communicates with the wireless APs, referred to as RADIUS clients or authenticators. The RADIUS server basically serves as a middle-man between the APs and the user database. The APs then communicate directly with the 802.1X client, also referred to as an 802.1X Supplicant, on the end-user's computer or device.
802.1X authentication is port-based. This means that when someone attempts to connect to the enterprise-protected network, communication is allowed through a virtual port for the purpose of transferring login credentials. If authentication is successful, encryption keys are securely passed out and full access is given to the end-user.