Hi clembo
First of all, thanks for the input.
I'm looking for 16 ports. RAPs will be placed in an untrusted place outside of my corp network so security is a must. In my deployment I use RAP with zero touch so is very easy to deployment and maintain.
I tested the same with an Aruba Switch but for the security and support model this option is adding a new platform to maintain which needs to be configured and also keeps a copy of the configuration at the remote end. Aruba Switch is not fully Zero touch and would require maintaining more firmware and new roadmaps. RAP is much easier to provision, update and modify and upgrade.
When I tried it with a Juniper EX switch, I managed to configure a switch port out of the 4 from the RAP as a trunk to pass the frames to the central controller to terminate the 802.1x. It works but this is so much complicated to maintain and also I don't want to open one port of the RAP so is unsecured.
Your first option is fine but with 16 ports I would to multiply hardware/cost of the solution by 4 and the scope is EMEA so the cost wouldn't be affordable.
Regards,