Yes, we're doing wired mac authentication, the idea is that if an unknown endpoint tries mac authentication, the CPPM can send an access-reject with a redirect url for web authentication. I know we can configure CPPM to send a redirect url attribute with an access-accept message even for uknown clients but there is a slight limitation on the switch side which currently requires the attribute to come with a reject message. I also checked the RFC which allows sending any number of attributes with a reject message.
Thanks