I use an MR33 access point linked to an MS220-8P. If I turn on the access policy for MAC whitelist on the MS220 switch the access point is able to communicate with the switch but no other device connected to the MR33 access point.
How could I make sure that I secure the switch port but also enable any device connected to the access point to communicate with my network?
Network infrastructure needs to trust other network infrastructure. So you wont be able to authenticate the access point or use the switch to only allow the access point to connect.
Also I'll let you think about what you proposed - you only want to allow the MAC address of the AP to connect, and the MAC address of any device attached to the AP. So in effect, the net proposed security policy is to allow any MAC address to connect.
Agreed with @PhilipDAth assessment. But you do bring up a good point. In our case, access points are usually not reachable without a ladder etc. I assume you'll have some APs in a potentially accessible location where someone could conceptually unplug the AP then connect a laptop?
Right - you would need a ladder and special tools but "Where there is a will, there's a way". A connection over an AP would need a authentication.
In our most secure environments we used 802.1x authentication. Then you can whitelist the APs MAC and if a rogue device was connected to that port it would failover to a guest vlan.