Hi,
We can work with device-identity and device-profile and lldp-bypass to 'open' a port to which a specific device type (based on lldp or cdp) is connected. That enables easy config of i.e. Instant AP's. At the moment there is one limitation: when applying downloadable user roles with 'Device Configuration' (poe settings, admin edge port or port mode) enabled, the DUR fails with lldp-bypass enabled. I would suggest to use DUR even for AP's when deploying a 'colorless port' setup.
For the switch issue: it depends. I would say that this is exactly the behaviour that we want: authenticate all clients, even those behind another (unmanaged) switch. But if we want we can also put this link in port mode via DUR when the first client on the second switch authenticates, set client limits, ...