As I know mab + 802.1X both is l2 auth' but mab here is not use for auth it used for wlc to bulid connection database for this user.

Mab auth only without any other l2 auth need you add mac address to wlc or use extended server for mac.

I think @Noovi is asking if it's possible to replace dot1X with MAB due to the failed to push certificates on devices. I think you ar using EAP-TLS to perform computer authentication so that's why you want to filter them when connecting.

My recommendation is that you keep using dot1X, but instead of using certificate validation (EAP-TLS) on the RADIUS policies you use user credentials only (PEAP). Then if you want to add this "extra" layer of security to limit the connection to those specific devices using MAB you can do it.

Short answer is No, you can enable both mac filtering and 802.1X on same SSID but means WLC need the mac address in its database for endpoint to perform 802.1X, its more of an AND option than OR option.

one option might be to have 2 separate SSID with same name and use mac filtering for one and 802.1X for another one, and when you are configuring your policy and wireless profile you can push correct profile to relevant devices or advertise the one with mac filtering in areas where you have devices not supporting cert .. you get the idea, it not the most traditional way, but its just an option if your device location and environment permits. Best it to have 2 seperate SSIDs or what JPavonM recommended.

Doing just this but needing to use 2 SSIDs

- iPSK for devices that dont support 802.1x (EAP-TLS/ PEAP) 
- 802.1x for devices that do support it

Have default PSK to use in an onbaording workflow where they just get internet access to reach the MDM to provision the certificate, and iPSK policy for devices that dont support it to get correct VLAN assignment