Best practice is to have ClearPass server redundancy .
This is from the Cisco Guide
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html#wp387266"When the authentication server is unavailable, 802.1X fails and all endpoints are denied access by default. In a highly available enterprise campus environment, it is reasonable to expect that a switch is always able to communicate with the authentication server, so the default behavior may be perfectly acceptable. However, there may be some use cases, such as a branch office with occasional WAN outages, where the switch cannot reach the authentication server, but endpoints should be allowed access to the network.
If the switch already knows that the authentication server has failed, either through periodic probe or as the result of a previous authentication attempt, a port can be deployed in a configurable VLAN (sometimes called the critical VLAN) as soon as the link comes up. Because the switch has multiple mechanisms for learning that the AAA server has failed, this outcome is the most likely. If the switch determines that the authentication server has failed during an 802.1X or MAB authentication (for example, if this is the first endpoint to connect to the switch after connectivity to the authentication server has been lost), the port is moved to the critical VLAN after the authentication times out. Previously authenticated endpoints are not affected in any way; if a re-authentication timer expires when the authentication server is down, the re-authentication is deferred until the switch determines that the authentication server has returned.
The critical VLAN can be any VLAN except the voice VLAN. If no VLAN is specified, the port fails open into the switch data VLAN."
Another option that is not very secure is to create a backup script to disable MAB under each interface using the interface range but that is a security risk since you will allowing any device to connect.
Sent from Outlook Mobile