Normally ACL's on MS switches are VLAN ACL's so you should be able to just block traffic coming from that VLAN to any private RFC1918 address in 3 rules and that should effectively also isolate guest clients from each other.
... View more
>I would have to create another Network Policy on the RADIUS server in order to assign different network access "rights" via another Group Policy on the MX. That is correct.
... View more
Yes correct. I've done that here with two switchports. They are set as access ports tagging VLAN 500. As you can see, no L3 interface for that VLAN exists on the switch (or anywhere else in the network in this circumstance)
... View more
