Create a MAB AuthZ policy that matches the vendor MAC address to place the phone into the user vlan. Include 802.1x configuration for the phone config that is downloaded. Then create a 802.1x AuthZ policy for phones that have been configured that puts them on your voice vlan. Unconfigured phones will match MAB and go into the user vlan, configured phones will match the 802.1x policy and go into the voice vlan.
If the switchport's authentication priority and order are 802.1x first, you won't even need to do CoA. The switchport will see that the phone is now trying to authenticate with 802.1x re-authenticate it.
... View more