I wondering how to protect my network using the default local switched mode.
The location is a business center with around 100 hosted customers. Each customer is isolated in its own VLAN.
We are currently using tunnel mode with Radius assigned VLAN during WPA enterprise authentication.
In tunnel mode, I only have to bring one dedicated AP VLAN to the APs. If a malicious user was to unplug the antenna to plug its own computer, he would't go far.
In local switched mode, I would have to bring all the tagged VLANs to the AP. If a malicious user plugged he's own computer instead of the antenna, he would have direct access to every hosted company private network.
Is there a way to avoid this since you can't filter that on the switch itself (i.e.. allowing only the AP to connect on the switch port but still allowing wireless client MAC to pass through) ?