UPDATE 1/6/24 - ISSUE RESOLVED WITH STEPS BELOW FROM TP-LINK SUPPORT:

Including this information for anyone in the future struggling with a similar issue:

Please don't use Portal Do this instead;

1) Add the printer's IP Address in MAC group instead.
Go to Settings > Profiles > Groups > Create New Group >> select MAC Group and input the MAC Address & IP Address for the printer
2) Setup EAP ACL as follows (see attached picture)
Go to Settings > Network Security > ACL > EAP ACL
 

I am trying to allow a single printer to be accessible from Guest network. Printer is on Trusted VLAN 100, Guest network is VLAN 199. There is a firewall rule to allow the printer IP to be accessible from the Guest network.

I have the "Guest Network" option enabled for the Guest network. There is a static IP set for the printer and devices connected to the Trusted WiFi network can print without issue.

I created an exception under the Omada Controller -> Site Settings -> Authentication -> Portal -> Access Control -> Pre-Authentication Access menu for the printer, but it still doesn't work on its own. However, if I create and enable a Portal, suddenly it works. I do not want a portal.

Any ideas? Something the Portal being enabled is doing is fixing the issue. I don't understand what the deal is and I'm ripping my hair out here.