[chenxiaolong]

Yeah，AT&T unfortunately tries really hard to make their customers use the provided routers. For customers on the older GPON network (like myself), they provide an ONT and a router. The ONT will not communicate until the router authenticates with EAP-TLS. The ONT has some additional funkiness, like requiring the EAP-TLS ethernet frames be tagged with VLAN ID 0.

Some folks work around this by using a ONT <-> dumb/unmanaged switch <-> router setup. They'll plug in the provided router, wait for it to authenticate, disconnect it, and then plug in their own router. The dumb switch will keep the link alive from the ONT's point of view. Works well, though it is annoying to have to redo the procedure whenever the power goes out. For the lucky folks whose provided routers are easily jailbreakable, we can extract the EAP-TLS certs and configure our own routers to authenticate directly.

On their newer XGS-PON network, some folks found out that the EAP-TLS isn't even enforced by the ISP's network--it's enforced locally by the ONT. So you can buy your own SFP ONT module that doesn't support the OMCI commands for enabling EAP-TLS, spoof the SFP serial number, and get connected.