669. The authentication server compares the received encrypted password with the one it generated atstep 5. If the two are identical, the authentication server considers the client valid and sends aRADIUS Access-Accept packet to the network access device.10. Upon receiving the RADIUS Access-Accept packet, the network access device sends anEAP-Success packet to the client, and sets the controlled port in the authorized state so the clientcan access the network.11. After the client comes online, the network access device periodically sends handshake requests tocheck whether the client is still online. By default, if two consecutive handshake attempts fail, thedevice logs off the client.12. Upon receiving a handshake request, the client returns a response. If the client fails to return aresponse after a certain number of consecutive handshake attempts (two by default), the networkaccess device logs off the client. This handshake mechanism enables timely release of the networkresources used by 802.1X users that have abnormally gone offline.13. The client can also send an EAPOL-Logoff packet to ask the network access device for a logoff.14. In response to the EAPOL-Logoff packet, the network access device changes the status of thecontrolled port from authorized to unauthorized and sends an EAP-Failure packet to the client.EAP terminationFigure 30 shows the basic 802.1X authentication procedure in EAP termination mode, assuming thatCHAP authentication is used.