Customer is using 802.1x authentication for ip phones on current CUCM Cluster (version 9.x). We will migrate the phones to a new CUCM cluster (version 12.x)
What is the best approach to deal with 802.1x authentication
So think it would depend on how 802.1X was deployed. Are you using LSC signed by CAPF or Manufacturing certs which are signed by the Manufacturing CA. CAPF is typically self signed in CUCM.
I would first start by truly understanding how 802.1X was deployed look at the certs used for trust and see if you can't just add the new addition trust from the new cluster and then do a test migration via 802.1X.
I think another method would be to set up a temp policy to failover to MAB in the event 802.1X fails but that is more an ISE topic.
Here are some docs on related items.
CAPF/Manufacturing CA certs are uploaded to Authentication servers like Cisco Secure Access Control Server (ACS) or Identity Services Engine (ISE). Authentication server uses the uploaded certificates to authenticate the Phone when it present its certificate (LSC or MIC).
This might help you for the migration as well.
Below documents explain regrading moving phone from one cluster to another.
Since its a ISE topic, better to open a discussion in ISE community.