The mac-authentication is not done on the AP. -> is sent to the controller. The controller wil use the authentication server or its local internal database to check the mac-adres.
In bridge mode, there is a tunnel from the AP for 802.1x traffic. This is the only traffic that is sent to the controller when the ssid is in bridge mode. No special rules are needed. The AP automagically does that.
You can use Split-tunnel mode.
In the policy you have to create some rules.
the trafffic who match the rules with action=" permit" wil use the tunnel
the traffic who macht the rules with action = "route src-nat" wil bridge the traffic localy
I hopte this makes it a little bit clear.
(if not contact me via Skype)
http://community.arubanetworks.com/aruba/attachments/aruba/108/1002/1/split-tunneling.pdf
http://community.arubanetworks.com/t5/Access-Points-and-Mesh-Routers/Split-tunnel-for-RAP-s/td-p/67452