Currently we are using .1x with mac-auth-bypass and only that; we have no .1x capable clients.
We use the following portconfig:
dot1x pae authenticator
dot1x port-control auto
dot1x timeout tx-period 1
dot1x max-reauth-req 1
So we have 2 times a timeout of 1 second, and then the MAB kicks in - ACS provides the vlan and that's it - it works, but with an unnessesary 2s timeout.
BUT, the following Cisco diagram suggest an alternative approach.
Is it possible to bypass the .1x timeout, so that the authenticator doens't wait 1s for eapol msgs any more and jumps directly to waiting for a MAC address to perform MAB? If so, I haven't found a command yet.