EAP Controller 2.2.3 Access Control Application Example
Suitable for EAP controller 2.2.3 or higher version
In some scenario, such as in an office network administrator may want to provide visitors Wi-Fi access thr Internet. But they do not want the visitor to have access to local wired network for security concern.
For TP-LINK wireless routers this requirement can be fulfilled by using guest network. On EAP we can achieve this goal by using access control. This article aims to give you some instructions on how to configure access control on EAP controller 2.2.3. For EAP controller 2.0.3 configuration example please refer to FAQ912.
Below is a sample topology. In this sample we want the laptop to have Internet access but cannot access the server in the LAN.
1. Before configuration, please verify that the laptop can communicate with wired desktop/server. Here we use ping on laptop and ping a wired server 192.168.1.5 as an example.
2. Go to Wireless Control-> Access Control. You can either edit the Default rule or Add Access Control Rule with the Rule Name you choose. In our example we choose Block as Rule Mode and fill 192.168.1.0/24 in the restricted Subnets field and click Apply button.
1)There are two Rule Modes including Allow and Block that you could choose. Allow is a white list and Block is a black list.
2)The rule subnets members comply with the rule mode you choose, except the ‘Except Subnets’ members. The other subnets not listed in the rule also don’t follow the rule. For example, I configure a Block rule with subnets: 192.168.1.0/24 and except subnets: 192.168.1.2/32. Then clients connected to the EAP can only access 192.168.1.2 in the 192.168.1.x subnet. And clients could also access to other subnets.
3. Select corresponding Access Control Rule on the Wireless Settings->Edit SSID page.
4. Verify that laptop cannot ping the wired server but can ping Internet.
In the above example as the laptop cannot communicate with any of the device in the 192.168.1.0/24 subnet you must make sure the DNS server on the laptop is outside 192.168.1.0/24 or the laptop will not be able to access the Internet. One solution is to set the DHCP server to assign public DNS server or you can put your gateway in the Except Subnets filed.