ZyXEL Communications Prestige 2802HW(L)-IX Support Notes page 86

Prestige 2802HW(L)-Ix Support Notes
•
Using External RADIUS Authentication Server
In addition to the internal authentication server inside ZyXEL AP, you can use external RADIUS authentication
server to centrally manage the user account profile. RADIUS is based on a client-server model that supports
authentication, authorization and accounting. The wireless AP is the client and the server is the RADIUS server.
The authenticator includes the RADIUS client, which is responsible for encapsulating and decapsulating the
Extensible Authentication Protocol (EAP) frames and interacting with the authentication server. When the
authenticator receives EAPOL frames and relays them to the authentication server, the Ethernet header is
stripped and the remaining EAP frame is re-encapsulated in the RADIUS format. The EAP frames are not
modified or examined during encapsulation, and the authentication server must support EAP within the native
frame format. When the authenticator receives frames from the authentication server, the server＇s frame
header is removed, leaving the EAP frame, which is then encapsulated for Ethernet and sent to the supplicant.
When the client supplies its identity, the authenticator begins its role as the intermediary, passing EAP frames
between the supplicant and the authentication server until authentication succeeds or fails. If the authentication
succeeds, the switch port becomes authorized. The specific exchange of EAP frames depends on the
authentication method being used. The figure below shows a message exchange initiated by the client using the
MD5 Challenge authentication method with a RADIUS server.
86
All contents copyright (c) 2007 ZyXEL Communications Corporation.