I am trying to implement a scenario for my studying where a port on a cisco switch is configured for dot1x and mac authentication for ip phone.
I want both the PC and the phone to be profiled and identified, and the PC to perform onguard.
I understand I would use a dot1x with profiling enabled and matching all OS such that if the device is unknown, a COA disconnect is sent to the switch (assuming I'm doing dhcp helper on the switch) and after the device connects again it will be known, and then when he browses he will be directed to the onguard webpage and download the agent and install and gets his health token and if he's healthy he will do dot1x again, and he will be found healthy and accesses the intended Vlan.
If both dot1x and mac auth were not matched, a mac auth policy will be matched, where all mac addresses are excepted and then profiled, if its an ip phone, it will be given a vlan for voice, and a class of service of 5. if not it will join the normal pc vlan.
I'm confused about where would COA and profiling take place in the sequence of authentication.
It would be great if someone helped me understand this..
Thanks in advance