ZyXEL Communications P-334WT Support Notes page 196

The device (i.e. Wireless AP) facilitates authentication for the supplicant (Wireless client) attached on the Wireless network.
Authenticator controls the physical access to the network based on the authentication status of the client. The authenticator acts as an
intermediary (proxy) between the client and the authentication server (i.e. RADIUS server), requesting identity information from the
client, verifying that information with the authentication server, and relaying a response to the client.
2. Supplicant :
The station (i.e. Wireless client) is being authenticated by an authenticator attached on the Wireless network. The supplicant requests
access to the LAN services and responds to the requests from the authenticator. The station must be running 802.1x-compliant client
software such as that offered in the Microsoft Windows XP operating system, Meeting House AEGIS 802.1x client and Odyssey
802.1x client.
3. Authentication Server :
The device (i.e. RADIUS server) provides an authentication service to an authenticator. This service determines, from the credentials
provided by the supplicant, whether the supplicant is authorized to access the services provided by the authenticator. The authentication
server performs the actual authentication of the client. It validates the identity of the supplicant. Because the authenticator acts as the
proxy, the authentication service is transparent to the supplicant.
Some Wireless AP (i.e. ZyXEL Wireless AP) have built-in authentication server, external RADIUS authentication server is not needed.
In this case, Wireless AP is acted as both authenticator and authentication server.
Authentication Port State and Authentication Control
The port state determines whether or not the supplicant (Wireless Client) is granted access to the network behind Wireless AP. There
are two authentication port state on the AP, authorized state and unauthorized state.
By default, the port starts in the unauthorized state. While in this state, the port disallows all incoming and outgoing data traffic except
for 802.1x packets. When a supplicant is successfully authenticated, the port transitions to the authorized state, allowing all traffic for
the client to flow normally. If a client that does not support 802.1x is connected to an unauthorized 802.1x port, the authenticator
requests the client's identity. In this situation, the client does not respond to the 802.1x request, the port remains in the unauthorized
state, and the client is not granted access to the network.
When 802.1x is enabled, the authenticator controls the port authorization state by using the following control parameters. The following
three authentication control parameter are applied in Wireless AP.