I should be able to just use one of my other attributes that I use later in my authentication. I was just looking to create this attribute restart authentication perform one CLI enforcement to delete the user from the user-table then delete the attribute. Just to keep endpoint database clean. This would be for devices that join the network the very first time so I can get them from entering the initial role set on the controller. COA's don't seem to do much for devices that are in this Initial Role.
The Bigger picture is that if a COA a user that is in the initial role assigned from the AAA/vap profile it doesn't actually disconnect them so instead I need to perform a CLI enforcement profile on the device to delete them from the user-table. I am not sure if you have any tips on doing CLI enforcement policy but I have one created I just need to troubleshoot to see where the CLI enforcement profile is failing. I think its because I don't have a successful authentication source. Still need to test.