@tdw, thanks for the explanation, but I wonder when the username and userpassword has to be used.
Let's say a user in the morning comes to his seat and turns his office computer on (it was ordinarily shut down the previous work day).
So, what happens next? Does he need to login to the RADIUS server first (but how is this supposed to work as he does not have any network access yet, I imagine) before he can do his usual login into his local OS on his office PC? Surely I must have misunderstood something in this concept
Thx
802.1X "authentication" CAN happen before the person itself issues the login on the Windows screen for example. (and authentication after that can again happen using Windows credentials)
If you go to the network-settings of your PC you'll find some section on 802.1X or "security" where you can choose things like PEAP (Protected EAP and EAP = Extensible Authentication Protocol, which is more a "framework" than an actual protocol)
https://en.wikipedia.org/wiki/Extensibl ... n_Protocol
As a client-PC you don't need to enter any RADIUS stuff because it is not YOU who is talking to the RADIUS, it is the LAN-switch who is doing RADIUS for the actual authentication part.
If you choose username/password authentication you can populate something in there (eg on a Linux box). In a Windows environment probably the cached-credentials are forwarded to the LAN-switch who takes this up to the RADIUS. If your RADIUS is then hooked into your Windows Domain the circle is closed.
I'm telling you a very simplified version of the process, just to give you an idea.
From the moment your network-card goes up, normally the "supplicant" software (in the OS) starts talking to the switch(port) and some exchanges is talking place.
These features can be quite complex. It's not always an "all of nothing" thing. Eg. when your PC boots your implementation might allow DHCP/DNS traffic to already flow and after login other policies/profiles are processed.
Or initially be placed on a specific VLAN , after authentication you move VLAN etc. Certain design incorporate some client-soft software to check your PC if it is "compliant" to IT-standards, latest patches, antivirus-updates etc,etc. If not compliant, you are "parked" on some remediation VLAN with partial access until resolved etc,etc.
Many,many options exist.