diff --git a/apps/emqx_auth_mysql/test/emqx_auth_mysql_SUITE.erl b/apps/emqx_auth_mysql/test/emqx_auth_mysql_SUITE.erl
index 168d544cb..0ae81435d 100644
--- a/apps/emqx_auth_mysql/test/emqx_auth_mysql_SUITE.erl
+++ b/apps/emqx_auth_mysql/test/emqx_auth_mysql_SUITE.erl
@@ -86,6 +86,7 @@ end_per_suite(_) ->
 
 set_special_configs(emqx) ->
     application:set_env(emqx, allow_anonymous, false),
+    application:set_env(emqx, acl_nomatch, deny),
     application:set_env(emqx, enable_acl_cache, false),
     application:set_env(emqx, plugins_loaded_file,
                         emqx_ct_helpers:deps_path(emqx, "test/emqx_SUITE_data/loaded_plugins"));
@@ -116,18 +117,18 @@ deinit_mysql_data() ->
 
 t_check_acl(_) ->
     User0 = #{zone => external,peerhost => {127,0,0,1}},
-    allow = emqx_access_control:check_acl(User0, subscribe, <<"t1">>),
+    deny  = emqx_access_control:check_acl(User0, subscribe, <<"t1">>),
     User1 = #{zone => external, clientid => <<"c1">>, username => <<"u1">>, peerhost => {127,0,0,1}},
     User2 = #{zone => external, clientid => <<"c2">>, username => <<"u2">>, peerhost => {127,0,0,1}},
     allow = emqx_access_control:check_acl(User1, subscribe, <<"t1">>),
-    deny = emqx_access_control:check_acl(User2, subscribe, <<"t1">>),
+    deny  = emqx_access_control:check_acl(User2, subscribe, <<"t1">>),
 
     User3 = #{zone => external, peerhost => {10,10,0,110}, clientid => <<"c1">>, username => <<"u1">>},
     User4 = #{zone => external, peerhost => {10,10,10,110}, clientid => <<"c1">>, username => <<"u1">>},
     allow = emqx_access_control:check_acl(User3, subscribe, <<"t1">>),
     allow = emqx_access_control:check_acl(User3, subscribe, <<"t1">>),
-    allow = emqx_access_control:check_acl(User3, subscribe, <<"t2">>),%% nomatch -> ignore -> emqx acl
-    allow = emqx_access_control:check_acl(User4, subscribe, <<"t1">>),%% nomatch -> ignore -> emqx acl
+    deny  = emqx_access_control:check_acl(User3, subscribe, <<"t2">>),%% nomatch -> ignore -> emqx acl
+    deny  = emqx_access_control:check_acl(User4, subscribe, <<"t1">>),%% nomatch -> ignore -> emqx acl
     User5 = #{zone => external, peerhost => {127,0,0,1}, clientid => <<"c3">>, username => <<"u3">>},
     allow = emqx_access_control:check_acl(User5, subscribe, <<"t1">>),
     allow = emqx_access_control:check_acl(User5, publish, <<"t1">>).