Hi 

Let me reply to all your points: 

- Multi domain authentication is required if you have a voice device and data device connected to the same port. You want to apply different policies to those 2 devices which are for different use. There is also a multi host authentication if you have for example multiple devices connected to the same switch port. Ford multi domain, we're leveraging cdp or lldp protocol to identify voice devices.

- Dynamic acls. There're 2 topics here. On some devices, you need to create the acl locally on the device and push the acl name from your radius to apply this acl to a particular port or user (example for wireless controller). You have a second topic called downloadable acl. This means that you create acl on your radius server (like ISE) and you push that acl on a per authentication basis. It's the same as previously explained except that you don't need to configure those acls on every switches. You just configure them on the radius server. It's better for management for example because you maintain them on 1 central point instead of hundreds and hundreds of switches. 

- web auth. This allows devices not being authenticated through dot1x or mab process to get a chance to type in some credentials to authenticate and get network access (example for guest). Now you have different ways to achieve that, you can send a redirect URL directly to the switch or make (like ISE) the radius as dhcp server. There just important part in that way (dhcp) is that your radius server will be the dns server, it will intercept all dns requests from the user to make a redirect to the guest portal. This is mandatory for 3rd party switches that don't support URL redirect. 

All switch vendor support basic features but not advanced like port-bounce for example if you want to do CoA (change of authorization) based a device profiling. 

Now if i have to give you a vendor name, I'll say Cisco for sure.