ZyXEL Communications P-334WT Support Notes page 197

1. Force Authorized : Disables 802.1x and causes the port to transition to the authorized state without any authentication exchange
required. The port transmits and receives normal traffic without 802.1x-based authentication of the client. This is the default port
control setting. While AP is setup as Force Authorized, Wireless client (supported 802.1x client or none-802.1x client) can always
access the network.
2. Force Unauthorized : Causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate. The
authenticator cannot provide authentication services to the supplicants through the port. While AP is setup as Force Unauthorized,
Wireless clients (supported 802.1x client or none-802.1x client) never have the access for the network.
3. Auto : Enables 802.1x and causes the port to begin in the unauthorized state, allowing only EAPOL frames to be sent and received
through the port. The authentication process begins when the link state of the port transitions from down to up, or when an EAPOL-
start frame is received requests the identity of the client and begins relaying authentication messages between supplicant and the
authentication server. Each supplicant attempting to access the network is uniquely identified by the authenticator by using the client's
MAC address. While AP is setup as Auto, only Wireless client supported 802.1x client can access the network.
Re-Authentication
The administrator can enable periodic 802.1x client re-authentication and specify how often it occurs. When re-authentication time out,
Authenticator will send EAP-Request/ Identity to reinitiate authentication process.
In ZyXEL Wireless AP 802.1x implementation, if you do not specify a time period before enabling re-authentication, the number of
seconds between re-authentication attempts is 1800 seconds (30 minutes).
EAPOL (Extensible Authentication Protocol over LAN)
Authenticators and supplicants communicate with one another by using the Extensible Authentication Protocol (EAP, RFC-2284). EAP
was originally designed to run over PPP and to authenticate dial-in users, but 802.1x defines an encapsulation method for passing EAP
packets over Ethernet frames. This method is referred to as EAP over LANs, or EAPOL. Ethernet type of EAPOL is 88-8E , two
octets in length. EAPOL encapsulations are described for IEEE 802 compliant environment, such as 802.3 Ethernet, 802.11 Wireless
LAN and Token Ring/FDDI.
The EAP protocol can support multiple authentication mechanisms, such as MD5-challenge, One-Time Passwords, Generic Token
Card, TLS and TTLS etc. Typically, the authenticator will send an initial Identity Request followed by one or more Requests for
authentication information. When supplicant receive the EAP request, it will reply associated EAP response. So far, ZyXEL Wireless
AP only supports MD-5 challenge authentication mechanism, but will support TLS and TTLS in the future.
EAPOL Exchange between 802.1x Authenticator and Supplicant
The authenticator or the supplicant can initiate authentication. If you enable 802.1x authentication on the Wireless AP, the authenticator
must initiate authentication when it determines that the Wireless link state transitions from down to up. It then sends an EAP-request/
identity frame to the 802.1x client to request its identity (typically, the authenticator sends an initial identity/request frame followed by
one or more requests for authentication information). Upon receipt of the frame, the supplicant responds with an EAP-response/identity
frame.