Thank you Jason,

is there any way to run it in "open" mode without MAB but rather using 802.1x or another way to just accept any credentials?

In LAN it would also fail if the client does dot1x unless the switchport has the priority set to mab to override dot1x!? But clients would still try to rerun dot1x and kicking them out of their mab session again?

In theory you could allow a Dot1x session to move past authentication when it fails by changing Auth Fail to Continue in the options.

Then you can check the Network Access Authentication Status to see if the user passed authentication or not.

@paul   - I think this is not possible in the wireless world because the wireless client L2 has to match the configuration of the WLC L2 - if client WLAN profile is configured with a supplicant, then he will never be able to talk on an openssid/PSK WLAN SSID because even at the OS level there is no fall back - similarly, if the WLAN SSID is configured for 802.1X (Enterprise WPA2) then the link layer is only brought up after a successful EAP conversation - it cannot fall back half way to any other method.  In wired world we can sense the link up on the L1 electrical layer and then take steps from there.  The way I see it, in wireless, OpenSSID is like a round hole - and a supplicant is like a square peg ... it's gotta match.

Well, I set everything to continue and it did once but it will just try to do MSCHAP again and Fails and the second time it won't continue.

So if you @paul have any more specific Details on how you are doing it, I would also be intrested if this also works with PEAP-MSCHAPv2.

I can imagine using EAP-TLS and just use a certificate Profile without going against an identity store. But for password based methods it doesn't seem to work.

@Arne Bier I think Layer2 is not the issue here since they agree on dot1x via PEAP MSCHAPv2 and then it is only a Thing between ISE and Supplicant accepting their EAP Credentials.

I do not see, why ISE makes a difference in handling HostLookup vs. identity based methods, while People know what they are doing of course :)

OK I am all ears now :-)   Keen to see how this works because I am sure it's something I could re-use in my own deployments.

So are you saying that if EAP-PEAP fails, then the client should be redirected to a web portal?  Sounds like a great idea.  I'd like to know how that is done too.

I can tell yo from my own experience, the only time this has worked for me is in the BYOD flow, where a client authenticates with a cert that is close to expiration. My AuthZ rule catches this condition, and causes a web redirection to the BYOD renewal portal.  BUT - and this is the crucial thing - the authentication was successful (and if you did a Wireshark you'll see that the EAP-TLS conversation came to a happy ending (EAP Success)).  This then allows the supplicant to be allowed on the WPA2 Enterprise SSID ("RUN" State) and the web redirection does its magic on that same VLAN. 

That is too bad. Bummer it is not in any of the guides anymore..

However if that is not an unsolveable issue with EAP itself, this would ne a nice feature. I feel like that this is not made possible to protect the users(admins) from themselves? Could this be a feature request?

For EAP-TLS I have done it for devices which received their certificate without being in any kind of IS. And therefore without using the Continue method, as I just selected a Certificate Profile without an associated identity store. Then I only matched on the Issuer CN and for a special tag in the Subject CN. So there was no real identity based authentication behind it..