How 802.1x works

EAP is the frame work we use in 802.1x authentication, which is capable of supporting multiple authentication methods. EAP defines mainly three terminologies

Supplicant - Client/Workstation which need access to the network.

Authenticator - A device which controller the device access of supplicant to the network. For eg- Switch/AP/Controller. Authenticator request the identity of the supplicant and it will be verified with help of authentication server. EAP messages are encapsulated and decapsulated by authenticator.

Authentication Server - Actuall device which verify the supplicants credentials. He notify the authenticator whether the client can be allowed to access the network

What is EAPOL ?
EAPOL is a method to transport EAP packets between Supplicant and an Authenticator directly over LAN MAC service (both wired and wireless). There are 5 types of EAPOL message and not all EAPOL frames carry EAP messages; they are used for administrative tasks:

1. EAPOL-Start: When the Supplicant first connects to the LAN, it does not know the MAC address of the Authenticator (if any). By sending the EAPOL-Start message to a multicast group mac address (all authentication servers will be a part of this group), the Supplicant can find out if there is any Authenticator present.
2. EAPOL-Key: Using this message type, the Authenticator sends encryption (and other) keys to the Supplicant once it has decided to admit it to the network. 
3. EAPOL-Packet: This EAPOL frame is used to send actual EAP messages. It is simply a container to send EAP message across LAN.
4. EAPOL-Logoff: This message indicates that the Supplicant wishes to be disconnected from the network. 
5. EAPOL-Encapsulated-ASF-Alert: This is provided for use by Alert Standard Forum (ASF) to allow alerts to be forwarded through a port that is in Unauthorized state.

Behind the scenes - While you browse www.google.com from your computer

1. You open the browser and type www.google.com in the browser
2. Your laptop has the IP address and DNS server address
3. Now computer want to resolve the www.google.com to the IP address
4. He check the DNS server IP he got during the DHCP process
5. If DNS server is not in his subnet he need to resolve it
6. Suppose client even dont know he mac address of gateway
7. Computer will send a L2 broadcast ARP to asking what is the mac address of my gateway
8. Gateway respond back saying my mac address is x.x.x.x.x
9. Computer will send the DNS request to the gateway
10. Gateway check his routing table if this IP address is know to me
11. If not he will forward the request based on his routing table
12. Request goes like this and reached the DNS server
13. DNS server respond back with the IP address of www.google.com
14. IP address reaches the computer
15. Computer check if the IP is in his subnet else will forward the request to gateway
16. Here is the packet computer forms

 Source IP address - Computer IP
 Source Mac Address - Computer mac
 Destination IP address - google IP address
 Destination Mac - Gateway mac address

17. If reached the gateway and he checks the routing table as before
18. Now gateway change the packet as bellow

Source Mac - Gateway Mac
Source IP - Computer IP
Destination Mac - Mac of next route in the routing table
Destination IP - google IP address

19. This process continues on the way
20. Every router comes in between changes the Source and destination mac but keep the source and destination IP as same.
21. Packet reaches google
22. Google respond back as bellow

Source IP -google IP address
Source Mac - google mac
Destination IP - Computer IP
Destination Mac -  gateway of google

23. This process continues as mentioned above and packet reaches the computer

IF NAT IS CONFIGURED
===================
Most probably NAT will be one to many

Here natting device will keep a track on the IP and port number client used to send data to the public IP
Source port 10 , IP address 10.10.10.10 ===>>> Mapped to 200.200.200.200

While the reply comes it will be again on the same port number so natting device know which was the client mapped to this IP address in this port number.