lukass2000 wrote
Hello,
I would like to start with the following Omada system:
1 TP-Link OC200
1 TP-Link TL-SG3428X
2 EAP225
Have now a questions:
Is it possible one port on the switch to restrict that ONLY the access point works on this port?
So if someone would take out the LAN cable from the access point and connect the cable e.g. to a laptop, it shouldn't not possible to connect to the network or Internet from this laptop. Only the specified AP should have connection.
Thanks :)
@lukass2000
Go to Profiles / Groups and create a new MAC Group
Enter the MAC Adddress of your EAP
Now go to Network Security / Switch ACL and create a new Rule
Policy: Permit
Protocols: All
Source Type: MAC Group and select your new created MAC Group
Destination Type: IP Group and select IPGroup_Any
ACL Binding:
Binding Type: Ports
Ports: Custom Ports
Device List: Your Switch
Select the port on wich your EAP is connected
Create one more Rule on Switch ACL ( This must be the last rule )
Be carefull, this rule forbids evrything on the selected port
Policy: Deny
Protocols: All
Source Type: IP Group and select IPGroup_Any
Destination Type: IP Group and select IPGroup_Any
ACL Binding:
Binding Type: Ports
Ports: Custom Ports
Device List: Your Switch
Select the port on wich your EAP is connected
This works, but is not the best solution, because an attacker can easy change MAC Address.
Better Solution is, if the EAP and your Switch support Port Security, than you can enable it and set username and passwort for this port.