EAP Controller 2.2.3 Access Control Application Example

Suitable for EAP controller 2.2.3 or higher version

In some scenario, such as in an office network administrator may want to provide visitors Wi-Fi access the Internet. But they do not want the visitor to have access to local wired network for security concern.

For TP-Link wireless routers this requirement can be fulfilled by using guest network. On EAP we can achieve this goal by using access control. This article aims to give you some instructions on how to configure access control on EAP controller 2.2.3. 

Below is a sample topology. In this sample we want the laptop to have Internet access but cannot access the server in the LAN.  

1. Before configuration, please verify that the laptop can communicate with wired desktop/server. Here we use ping on laptop and ping a wired server as an example.

2. Go to Wireless Control-> Access Control. You can either edit the Default rule or Add Access Control Rule with the Rule Name you choose. In our example we choose Block as Rule Mode and fill in the restricted Subnets field and click Apply button.


1)There are two Rule Modes including Allow and Block that you could choose. Allow is a white list and Block is a black list.

2)The rule subnets members comply with the rule mode you choose, except the ‘Except Subnets’ members. The other subnets not listed in the rule also don’t follow the rule. For example, I configure a Block rule with subnets: and except subnets: Then clients connected to the EAP can only access in the 192.168.1.x subnet. And clients could also access to other subnets.

3. Select corresponding Access Control Rule on the Wireless Settings->Edit SSID page.

4. Verify that laptop cannot ping the wired server but can ping Internet.

In the above example as the laptop cannot communicate with any of the device in the subnet you must make sure the DNS server on the laptop is outside or the laptop will not be able to access the Internet. One solution is to set the DHCP server to assign public DNS server or you can put your gateway in the Except Subnets filed.

O artigo aplica-se a:
EAP245 , EAP220 , EAP115
User Application Requirement | Updated 02-20-2017 03:46:10 AM