Makes perfect sense if ISE fails. Thanks for the info.

I'm back on this topic.

I had an case were my switches were running with auth open, but the GPO that sets 802.1x on clients weren't deployed yet. Testing a policy for MAB and guest portal, all the users failed dot1x, and then got to MAB. All the users got redirected to the portal.

Luckily this only happened to a handful of users, so the impact were limited. But if all 500+ users got hit, how would they recover?

If MAB is still working then ISE is still working, the outcome you saw is what is expected.

Your production switches should be in monitor mode, while in monitor mode you should have all results in your policy set to "permit access". This will allow you to test policy and ensure everyone is hitting the correct policy. Anyone hitting the wrong policy can then be fixed/remediated before going to enforcement mode where they can lose network access.

Working through a methodology of Monitor mode and moving to enforcement mode will help to alleviate any issue you may run across.

Also only test on a non production switch so you do not affect users.

I get what your saying, and my switches are running in monitor mode. Despite the PermitAll at the end of every policy, users fails 802.1x, and then do MAB. Then the wired mab -> redirect catches the request and sends the users off to the portal. Like you wrote before, this is expected.

If you are in monitor mode there should be no redirect setup. Can you share some screenshots of your policy?

I restricted the policy to only be applied to my desktop switch. NAS 192.168.2.25.

The GUEST_REGISTRATION is the redirect, and GUEST_PORTAL_ACCESS allows the users afterwards.

Lets just imagine that the certificate for dot1x expires and all wired endpoints are redirected to the portal. Then we change the certificate, and all endpoints need to trigger dot1x again?

You can change settings in ISE and build a policy to allow the authentication of expired Certs, then when they go to authorization you can give them limited access to renew their Certs, this will avoid them being sent to the webauth portal. 

The other option if you don't want to accept expired certs is you could profile these devices as AD domain joined devices using the AD profiler.  This assumes they are AD domain joined.  Then in your MAB rule you could give them enough access to renew certs.

With both solutions, clients will be allowed to renew their certificates, but will or can ISE trigger CoA when a new certificate is issued to the client? Or is it necessary to trigger dot1x on the port to process the client again?