The Juniper port is on the floor's access switch; it was a regular office wall jack that I need to plug 303H into, to expand our wifi coverage. Usually our wired ports are set for dot1x on the juniper, so that any connected user user devices go into the proper VLANs. (But this is just device recognition via MAC auth, not full-blown 802.1X auth with a username and password.)
For our ceiling-mounted APs (the bulk of our fleet) we usually config the relevant switch port (also on this same Juniper) just as an Access port on the AP VLAN, as we're mostly using AP-215 and AP-315 that don't have extra ports. For those APs, it is simple to just set the port to the AP VLAN and use tunneled mode.
However, for the AP-303H's that I've used so far, I've had to set the port to be in trunk mode with all the necessary VLANs for the wired prot, and with the AP VLAN as native, so that an AP can find the controller as soon as it is plugged in.
However, since the dot1x on the Juniper can identify the AP, I don't need the port to be native or access on the AP VLAN; it can just be a default dot1x port, and then detect the AP.
(Note that in my example, the "dumb switch" is just for proof-of-concept of having a bunch of stuff hit the same port without needing to tag any of their packets--not using the dumb switch at all in the real deployment.)
SO: The present case is a single wall jack that goes to the Juniper switch, and the switch does MAC-based dot1x to decide what VLAN devices go into. But, with just the single port, it is usually just one device at a time, or else a VoIP phone with a computer plugged into it.
Adding a dumb switch to this Juniper port lets me plug in several things at once, with the port sorting which VLAN goes with which device, packet by packet.
I'd like it if the 303H could plug in to this same port and "just work", with the AP being recognised and sent to the AP VLAN, and all other things just going to the Juniper port that the AP is plugged in to.
The first stage works, because if I plug the 303H in, it gets recognized and assigned to the AP VLAN and tunnels to the controller, so wireless access works properly.
But I don't know how I might configure the other AP ports so that packets from them do not get tagged, and also so that these packets don't go down through the tunnel to Mobility Controller, but hit the local Juniper port.
Is there a setting to have it tunnel all the AP and wifi client traffic, but bridge all the wired port traffic? I can make that happen if I specify VLANs for the wired ports, but not if I want to leave their traffic all untagged.
Maybe I'm missing something easy: basically I want the AP to just output anytraffic that comes in P1-P3 out via P0, to the Juniper switch.
Essentially, the AP is connected to a switch port that acts as if it is several different ports, one port per incoming MAC.