I have a AP303H running as a RAP, with wired port profiles applied. The AAA profile applied to the port uses 802.1X with no L2 fail-through for MAC based authenticaiton.
When I connected a corporate endpoint configured for 802.1X, everything worked as expected.
I connected my home PC, which is not setup for 802.1X, and was surprised that it got an IP address in the scope/VLAN assigned to the port. I couldn't access anything because I got a guest or logon role.
I thought that with 802.1X enabled I shouldn't be able to get DHCP unless I passed 802.1X? In this case, I didn't even attempt it and still got DHCP on the corporate network.
aaa profile "WiredPort1_aaa_prof"
authentication-dot1x "Wired_dot1_auth"
dot1x-default-role "authenticated"
dot1x-server-group "ISE"
radius-accounting "ISE"
!
aaa authentication dot1x "Wired_dot1_auth"
machine-authentication machine-default-role "logon"
machine-authentication user-default-role "logon"
!