This diagram shows how a Radius server authenticates devices on a network. The Access Point requests credentials from the wireless client and forwards the information to authentication server for verification. The authentication server verifies credentials against user database and challenges wireless client for password. If access is granted, dynamic key for encrypted session is generated and forwarded to Access Point. Access Point allows or rejects access of wireless client based on feedback from the authentication server. If access is granted, dynamic key will be used to initiate encrypted session between client and Access Point. At this point, all data sent on the network is protected by encryption. On the left side, the green box is labeled EAP, and looks like a bridge between the wireless device and the server.