@Somnus 

Ok, changed it. Success in regards to lock out but not in function in the first step .

Had to add a rule for all devices to access to my FritzBox, so that any device receives an IP.

Afterwards it works, as long as a device without access is not connected to the same AP. 
If a blocked device is connected to the same AP then it has access, so my assumption,

same ACL I have to set up in EAP ACL.

Is my assumption correct?

Two additional questions I do have now:

Can I apply same ACL copy and paste?

Can I change the order of the ACL?

Thanks, really appreciate your support !

  @CK1710 1. The switch ACL can only take effect if the packets send to this switch.

For example if you have two devices connected to the same EAP, then their communication packets will only go through this EAP but not send to the switch/gateway. In that case the switch ACL can not block the packets.

But if your two devices are connected to different EAP, the packets need to go to EAP1 then go to the switch and finally go to EAP2, and this packet will be detected by the switch and switch ACL.

2. Yep basically the ACL rule is the same for EAP. But EAP does not have a default Deny ALL rule. So you don't need to add permit all rule in the end;

3. If you means the index number, no...

I'm glad you make it work!