HI,
Here is your answer,
Client connectivity will pass through 3 phases,
1. Association
2.Authentication
3.Getting IP Address
Association completes (Open Auth) L1 connectivity and then Authention(dot1x) Completes L2 connectivity and then and Client will get IP address on successful Authentication.
1. Association: between Client <-->
Auth request<->Auth Response
Association Req <--> Association Resp
2. Authentication :
1. Here Controller+AP works like Authenticator and exists between Client and Auth server (RADIUS+AD)
2. Till the EAP negotiation Controller will convey handshakes between Client and Auth server
3. Once EAP tunnel is establishes between Client and Auth server, client traffic is not visible to the controller
4. Client will share it's credentials with the Server directly, on successful authentication, Authserver will send RADIUS success message to the controller and shares the Master session key with controller and Client
5. with the help of master session key Client and controller ( AP) will perform dot11i key exchange to derive a temporal key for encrypting the traffic.
DHCP :
After successful Authentication, Controller will allow the usertraffic, i.e it will allow DHCP traffic
Controller will process DHCP traffic and helps the client to get an IP address.
Hope you got some clarity on this.