Hi @CA_HA
I can only speak about how the Cisco WLC works, since that is the one I understand the best. The problem is that the WLC WLAN has to be set to be of a certain type/mode. You cannot configure the WLAN profile to be MAB & 802.1X. And when the WLAN is configured as 802.1X then it will only authenticate the client session if, and only if, the Radius server returns an EAP Success in the final Radius Access-Accept EAP payload. If it doesn't, then the client session remains in 802.1X_REQD state, waiting for a miracle to happen. So let's assume you have a wireless client that does not have a supplicant configuration. In most cases it won't be able to even attempt to connect to the 802.1X SSID. Windows 10 for example will try PEAP by default, but that is not MAC auth either. The comms will break down due to things like TLS establishment failures etc. You can't short circuit an EAP conversation.
In wired world there is no requirement to have a supplicant in order to send an Ethernet frame to a switch port. The switch (configured primarily for 802.1X will wait patiently for an EAPOL message, and also send EAPOL START frames - depending on your timers (say 30 seconds) this song and dance will lead nowhere and the switch will eventually give up. And if you configured MAB as the next auth method, then the switch will pass on your Ethernet frame to the AAA for MAC authentication. This concept does not work in the wireless domain because OSI Layer 1 and 2 work differently.
Having two SSIDs would do the trick - you can try cool stuff like Identity PSK on Cisco controllers where each wireless client can potentially have different pre-shared key depending on their MAC address.
