RADIUS (Remote Authentication Dial-In User Service) handles the backend authentication decisions. Your switches and access points don't store credentials. They ask RADIUS whether to grant access.
RADIUS runs over UDP, typically ports (authentication) and (accounting). Messages use a shared secret between the RADIUS server and network devices. This secret encrypts sensitive fields like passwords. RADIUS supports multiple authentication methods and can return authorization attributes like VLAN assignments.