I have an MX67 which has a VPN tunnel to an MX84. I want to authenticate devices onto the MX67 ports based upon their MAC address. I already have devices authenticated by dot1x supported by an ISE over the tunnel. I cannot use MAB to authenticate the non-dot1x devices because MAB on an MX67 does not work with the ISE, which requres the "call-check" attribute and which the MX does not supply.
It has been suggested that I could set up a "deny-any-any" firewall rule on the MX67, then whitelist the MAC addresses of the required clients. However, I don't see a way of doing that without disabling the ports that are successfully authenticating with dot1x, and as a result having to reconfigure the ports that were authenticating with dot1x to authenticate with whitelisted MAC addresses, which is inferior and less secure than dot1x.
Have I missunderstood the situation, or does my description and diagnosis above sound right?