Implementing 802.1x for computers behind dumb phones
Unfortunately, I had to work with what I have, namely, the Panasonic KX-NT321 IP phone, which works using the proprietary protocol, can neither LLDP, nor even CDP, and even download configuration via TFTP. But you can configure tagging on each of the switch ports from the phone itself.
So, what do we have: Microsoft NPS-based RADIUS, Cisco 2960 switches, Panasonic IP phones and computers.
I will not consider the basic configuration of RADIUS and switches, we will assume that the switches we are already clients.
Because Phones do not understand EAPoL packets, we will apply MAB (MAC Authentication Bypass) technology to them. In short, the switch takes the mac address of the phone and sends it as a login / password to RADIUS for authentication, described in more detail on cisco.com
And we will use 802.1x for computers, let us assume that everything is configured properly on the computer.
Accordingly, both the 802.1x and the MAB should be enabled on the switch port, for this only MDA (Multidomain Authentication Mode) is suitable for us, more about the modes here and thus the port config will be as follows:
interface FastEthernet0/2
switchport access vlan 99
switchport mode access
switchport voice vlan 2
authentication host-mode multi-domain
authentication order mab dot1x
authentication port-control auto
authentication periodic
mab
dot1x pae authenticator
dot1x timeout tx-period 3
spanning-tree portfastThe mab command is required because without it, the switch sends packets using EAP-MD5 authentication, but MS NPS does not accept this mode, so you need to use PAP.
We collect the mac addresses of our phones and add them to ActiveDirectory in a separate OU and security group (let's call them Phone) as ordinary users with a username and password as the mass address of our phones.
In NPS we create a rule for phones:

The device-traffic-class = voice parameter tells the switch that this device will go to voice vlan.
The Tunnel-Pvt-Group-ID parameter tells the switch which Vlan the device will go to, but in our case this will not work, because we configure vlan'y hands on the phone.
We create a similar rule for computers:

It is also necessary to create a connection request policy with permission to use PAP.
In the switch, you can manually set the password for MAB requests, i.e. sending an authentication request in the login line will be the mac address, and in the password line, what we will set manually on the switch:
(config)#mab request format attribute 2 yourpasswordThen in AD all phone accounts must be with this password. Materials Used:
IEEE 802.1X Port-Based Authentication
MAC Authentication Bypass Deployment Guide