A data center switch port is configured for 802.1X with MAB as fallback. A device that does not support 802.1X is connected. Which method will allow the device to authenticate?
MAB is the fallback method for devices that do not support 802.1X.
Why this answer
When a device that does not support 802.1X is connected to a port configured for 802.1X with MAB as fallback, the switch detects that no EAPOL frames are received from the device. It then initiates MAC authentication bypass (MAB), which uses the device's MAC address as the identity for authentication against the RADIUS server. If the MAC address is allowed, the port is authorized, providing a seamless fallback authentication method for non-802.1X-capable devices.
Exam trap
The trap here is that candidates often confuse MAB with web authentication or assume that any non-802.1X device will automatically trigger web authentication, but Cisco tests that MAB is the first fallback method when configured, and it uses the MAC address, not a pre-shared key or certificate.
How to eliminate wrong answers
Option A is wrong because EAP-TLS is an 802.1X authentication method that requires the device to support 802.1X and present a client certificate, which the non-802.1X-capable device cannot do. Option B is wrong because web authentication (WebAuth) is a separate fallback method that redirects HTTP traffic to a captive portal for user credentials, but it is not the default or automatic fallback when MAB is configured; MAB is tried first before WebAuth. Option C is wrong because local authentication using a pre-shared key is not a standard 802.1X or MAB mechanism; MAB relies on RADIUS server authentication using the MAC address, not a locally configured pre-shared key.