Hello everyone,

we are currently investigating on securing physical access to network sockets. Currently I am aware of the following options in an omada controller / switch / access point setup:

• Securing client ports with 802.1X. This should work for Windows / Linux / Apple clients.
• Switch ACLs. It seems there is no direct option for port-security where you can bind a list of allowed MACs to a port in the controller. Nevertheless I could configure a drop "IP any--> IP any" switch ACL on relevant ports and then create another ACL on a single port to allow a specific MAC --> IP any. This should work for devices that do not support 802.1X like old printers or cameras

My Problem in this setup would be that I am unable to secure access points. These are often located in public areas and would be one of the biggest threats. If someone unplugs the AP and connects a laptop the methods mentioned above would not help.
Now my question is, would EoGRE be an option here? The idea would be use a ER707-M2 (with unconnected WAN port, internal IP only) and enable EoGRE. The AP should then only send a single source MAC and could be controlled by a switch ACL. I cannot find a lot of documentation on EoGRE, but I would guess as long as the AP can reach the gateway IP this should work. One thing I cannot see in the documentation is how this works with VLANs. If SSID1 is mapped to VLAN 10 and SSID2 is mapped to VLAN20, would the gateway, that is terminating the GRE tunnel, then apply these VLAN tags when passing the traffic to the LAN?
Does anybody know if this would work, or do you have better ideas on how to secure the ports where APs are connected?