Hi,
dot1x authentication and mac-authentication bypass are layer 2 authentication mechanism and webauth is a layer 3 authentication mechanism.
u can set multiple authentication profiles and set the priority as well.
like u can have dot1x authentication first and second webauth and third as mac-authentication bypass.
remember the other authentication mechanism will only come into place if the first authentication is not possible that is the client is not having a suplicant for dot1x.
if a user doesn;t have dot1x supplicant and u have configured guest vlan then the user will be put into the guest vlan otherwise the user will be in the access vlan in which the port is configured.
if u have configured auth-fail vlan and the user gives wrong credentials the user will be put into the auth-fail vlan.
if a user is a dot1x client and dot1x is configured then the user must pass the dot1x authentication .
the fallback mechanism is only when the dot1x authentication cannot be executed because the client is not having dot21x supplicant. then the next mode of authentication will be triggered that is either webauth or MAB.
if a user fails the dot1x authentication dues to wrong credentials then he cannot be prompted for a another authentication mechanism. this is to avoid security breaches.
hope this helps.
regards
Sushil