The standard uses EAP (Extensible Authentication Protocol) and its algorithms for exchanging messages during the authentication process. Among the algorithms EAP (RFC 2284) supports are MD5 (Message Digest 5), TLS (Transport Layer Security), TTLS (Tunneled TLS), LEAP (Lightweight EAP) and PEAP (Protected EAP) (see "The Alphabet Soup of Authentication,", for more on these protocols).
But 802.1x is no silver bullet for ensuring users are who they say they are. It requires digital-certificate management, which is complex, and the 802.1x client and server software must be compatible with one another. It's not yet plug and play, either, because its authentication algorithms are still immature.
The 802.1x protocol consists of three main elements. The supplicant is a client device, such as a desktop, laptop or PDA, that requires secure network access. Then there's the authenticator, which can be an intermediary device, such as a wireless access point or a network switch. It exchanges information between the supplicant and the authentication server, the third piece of 802.1x. The authentication server can be a RADIUS server that authenticates users with its own user database or by working with an external user database, such as Microsoft's Active Directory or another LDAP database.
RADIUS servers are a popular choice for the 802.1x authentication server because most enterprises use them for secure dial-in user access. With a RADIUS server, you can avoid storing user information on each access point or network switch. It's also helpful for redundancy purposes, where a backup RADIUS server can take over the authentication process if the primary server fails. RADIUS supports most of the commonly used EAP authentication mechanisms, such as TLS, TTLS, LEAP, MD5 and PEAP.