I recently extended my working Unifi AP collection with an outdoor AP. I now realized that securing the switch port into which the AP is plugged is not as straightforward as I had initially assumed (without ever really thinking this through, admittedly):

• While the AP itself nicely authenticates wireless devices (WPA2-PSK or WPA2-Enterprise, with VLANs assigned), it's LAN connection is pretty much available without any protection, offering untagged access to the management LAN and tagged access to VLANs.

• Unlike outside cameras, I cannot lock down the port in the switch to a single MAC, because the AP is meant to provide access to various (a potentially unlimited number of) devices, each having their own MAC.

• While Unifi APs can authenticate wirless clients via 802.1X, I haven't found an option to implement 802.1X authentication for the AP towards the switch.

So what is the best practice to "prevent" anyone from just unplugging the AP, plugging in a different device and then accessing the network?

Thanks!

Hey @David-TP,

I would like authentication for Ethernet connections since I have a Deco device in a room which has a door to the outdoors which most of the time isn't locked. It feels a bit unsafe to have exposed Ethernet ports where anyone could get access to my internet... Although it is highly unlikely it would happen 😅

  @grimmbraten 

Example of how securing Ethernet ports works in my HITRON CODA router.

That page not only allows to block unused ports, but also gives useful information for type of connections to active ports. This could be right place for Deco node to report speed and duplex of its Ethernet port connections.