Thanks for the reply M. I checked over a few pages of the suggested links you shared, but it still doesn't quite touch on my issue. I was trying to see if I could force a single port to use different authentication for different VLANs. MAB for phone vlan, dot1x for data vlan. If that's not possible and the entire port must follow both then how do people deal with the influx of logs you get on a port which the computer does not meet your MAB, nor your dot1x requirements. I was trying to push them into a guest vlan, but it seems the port continues to keep trying MAB even when in the guest vlan, and this generates a huge number of failed logon attempts. Which clutters the logs, and makes admins parsing them likely miss some of the legit logon attempts they should be looking at. Thoughts?

 - My fundamental thoughts are that I have never been in favor of such setups because they defy the purposes of solid authentication on a rigid strong Intranet structured authentication setup (by that I mean  PC's plugged in behind phones). I think full benefit of products like ISE can be accomplished by giving each device a separate physical network connection.

 M.

Ok, I think what you're eluding to confirms my suspicions. That there is no way to separate the authentication to each vlan on a port, but rather that the authentication config is for EVERYTHING connected to that port. To make matters worse, this is not an ISE deployment, but rather using RADIUS and MS NPS. But you're right, this would be so much easier to manage if I didn't need to have an end port have more than one MAC tied to it, and more than one policy tied to it. I just wish there was an easy answer to not allow these machines to keep trying MAB and failing. It generates way too many logs.

Thanks Massimo, now we're getting somewhere. I like that suggestion, it intrigues me. But what if I don't run ISE in my environment. Doing the same in MS NPS? 

See the missing link is that I've got phones, with devices plugged in behind them. But those devices plugged in behind are sometimes our domain machines, and sometime other byod or vendor devices. When it's one of our domain machines, no problem dot1x works, authenticated, we're good. But when it's a vendor device, they plug in, end up on the guest vlan (which is intentional), but then every like 30 seconds it tries to re-auth the port. This fails dot1x, then fails mab every time, and generates these failed logon attempts. Thing is they're not really failed, they're doing what it needs to do, but clutters all the auth logs that reviewing them for anything legit is nightmareish.

With cisco switches and ISE is not really important if the device is plugged directly to the switch port or is behind an ip phone, each mac address is threated as a single session, what makes the difference is switch configuration and ise policies.

I've used nps very few times and only for 802.1x athentications, for sure is much much less flexible and feature rich than ise, but I don't even know if it supports mab.