Hi, Neno!

Thank you very much for answer!

As I understand, MAB is usually used for devices that no support 802.1x. For example, I don't know what will be connected to the port: a PC that supports 802.1x, or a printer. Switch must send a message "Request-Identity" and proceeds to authentication MAC (MAB), if there is no response. Wireshark shows that the switch doesn't send a message "Request-Identity".
If I use authentication by username and password for PC and MAB for printer, how I should change the switch's configuration, so it send the "Request-Identity" message to the message "Start" from the PC?

No problem! Yes, you are correct, a switchport can be configured to support both mab and dot1x authentications. I am still trying to understanding the following:

1. When does authentication fail and when does it work. Please provide more details

2. Can you post screenshots of the supplicant(Windows) configurations

3. Please post the output of this command during both the failed and successful authentications:

how authentication session interface_name_number detail

4. I would also add the following commands to your access port:

dot1x pae authenticator

authentication event fail action next-method

authentication violation restrict

Thank you for rating helpful posts! 

802.1x is enabled on the PC. The PC is connected to the port.
The switch receives from the Radius server message on successful authentication and assigns vlan to the port.
The switch doesn't report a successful authentication PC.
PC "thinks" that the authentication fails and displays the message "Authentication failed" (always).

However, if I then disable "802.1x" on the PC - PC can get online.

I'll send screenshots tomorrow.

Thank you for your help!

Sure thing. I will be waiting for the screen shots and the output of the command above. Also, make sure you enter the port commands from my previous post and then try again. 

Thank you for rating helpful posts! 

Today I tried to use only mab. Everything is OK, my PC get online.

Later I'm going to use not only mab, but also dot1x (certificates).

The problem was that I didn't prioritize mab and dot1x, so the PC tried to connect used 802.1x and didn't receive a response, and the switch authenticates it through the mab.

Thanks a lot for so helpful posts! :)

You are welcome! Glad to hear your issue was resolved! If you are all set please mark the thread as answered :)

Hello, Neno!

Could you help me?

I have a new problem. :(

Monitor session shows that voice traffic doesn't go through the trunk port (although data traffic goes through).

I have a standard configuration of the port:

(config-if)#switchport mode trunk

(config-if)#switchport trunk encapsulation dot1q

(config-if)#switchport trunk allowed vlan 101, 102.

101 vlan is voice.

What is the problem?

Hi Anna, sorry but I am out on vacation for the next two weeks and have very limited connectivity.

Make sure you port is configured for "multi-auth" you can also use the "show authentication session ...." Command to check the auth status of them the phones mac address. 

The best thing to do is to start a new thread in the secutity > AAA Section 

Hi, Neno!

I turned on "lldp" so this problem was solved)

Glad you were able to solve your issue! Also, thank you for taking the time to come back and inform everyone of the solution (+5) from me :)