Thank you madjali - I worked through a config this weekend and have the MAS behind a firewall and tunnled over an IPSEC tunnel. That works, except I have yet to establish "internet" connectivity although I do authenticate and have access to internal corporate resouces.
Im intrigued by deployment #1, as that may be more in tune (and simplier) with my objectives.
In that configuration, is each port of the MAS authenticate via the same 802.1x profile that the RAP is configured for on the controller? Is the 802.1x request just passed the same as the wired ports on the RAP? Is the port just set as untrusted with a trunk port on the RAP? (IE- MAS trunked to RAP). I'll start experimenting with that to see if I can get it working.
Thanks for thorough response and any additional details you might have on option #1.