Using webauth on switches unfortunitly has not been very sucsessful. This is because most switches require you to make a choice on your auth methiod based on port. So you can either have MAB or 802.1x or MAB with 802.1x or Webauth.
Not Webauth + Something else. So because of this people tend to stay away as port function in the network is more dynamic.
After all who wants to open a support ticket with the network team because the printer moved from 1 cube to another.
Personal devices are normally limited to just wireless. This way you can use onboarding and multiple captive portals to get them from place to place. Hardwried becomes a challenge because captive portals at the ethernet level hasnt really taken off;
I know that our switches have been doing it for a while, but that is because we rely on a 'role' based authenication model where others do port based.
So we can have a captive portal per role and COA your role at will.
With cisco you can COA the DACL, but because the captive portal stuff is port based, you cant COA the configuration of the port.
You might be able to do some sort of telnet enforcement; Where you change the running config based on a telnet enforcement profile; But i have never tested nor attempted this, so i dont know if its possible. Even then, seems like a lot of problems that can happen with timeouts.
This might be one of those situations where its best to limit to wireless only.