https://community.cisco.com/t5/network-access-control/dot1x-mab-priority-and-order/td-p/3515280

In our environment

order: mab dot1x

priority: dot1x mab

This made sense in our environment as we wanted to accommodate MAB devices quickly and not make them wait for dot1x timeout. Using the priority allows for dot1x to overrule the MAB process if it sees EAPoL traffic. This assists with quick connection time as well for dot1x nodes.

Issues we faced was that dot1x supplicants could not re-authenticate properly and send EoPLan packet to restart dot1x process. This occurred on Windows, MAC, native as well as AnyConnect supplicants. Only way we found at the time to resolve was to either change order to dot1x mab OR turn off re-auth.

We just recently modified one of our AuthZ profiles to use cisco av-pair = termination-action-modifier=1 .

This will have ISE instruct the switch to re-use the last successful method wether it was dot1x or mab for that session.

This so far has resolved these struggles. We are continuing to test