I have a contradictory task. There is authentication with certificates (EAP-TLS) in my network. But at the same time I need to connect some devices without authentication, because some engineers need to set a lot of equipment (for example, switches, access points, servers...) MAB isn't a solution, because that is mean that every device (including devices connected only once).
My colleague suggested solution. There is a script on a every user's PC authenticated with certificates. This script allow to connect to Cisco switch and "no shutdown" needed static access port. If device disconnected from the network port shutdown. The engineer wanted to connect device run the script on his computer.