Hello,
The mac-authentication is not done on the AP. -> is sent to the controller. The controller wil use the authentication server or its local
internal database to check the mac-adres.
You can use Split-tunnel mode.
In the policy you have to create some rules.
the trafffic who match the rules with action=" permit" wil use the tunnel
the traffic who macht the rules with action = "route src-nat" wil bridge the traffic localy
I hopte this makes it a little bit clear.
Greets,
Peter