ZyXEL Communications P-334WT Support Notes page 201

Using External RADIUS Authentication Server
In addition to the internal authentication server inside ZyXEL AP, you can use external RADIUS authentication server to centrally
manage the user account profile. RADIUS is based on a client-server model that supports authentication, authorization and accounting.
The wireless AP is the client and the server is the RADIUS server.
The authenticator includes the RADIUS client, which is responsible for encapsulating and decapsulating the Extensible Authentication
Protocol (EAP) frames and interacting with the authentication server. When the authenticator receives EAPOL frames and relays them
to the authentication server, the Ethernet header is stripped and the remaining EAP frame is re-encapsulated in the RADIUS format.
The EAP frames are not modified or examined during encapsulation, and the authentication server must support EAP within the native
frame format. When the authenticator receives frames from the authentication server, the server's frame header is removed, leaving the
EAP frame, which is then encapsulated for Ethernet and sent to the supplicant.
When the client supplies its identity, the authenticator begins its role as the intermediary, passing EAP frames between the supplicant
and the authentication server until authentication succeeds or fails. If the authentication succeeds, the switch port becomes authorized.
The specific exchange of EAP frames depends on the authentication method being used. The figure below shows a message exchange
initiated by the client using the MD5 Challenge authentication method with a RADIUS server.