Not really understanding your pain points, but I think its a lack of detail. Most organizations I would think would use TACACS or radius for credentials and have a static profile set up for either all devices, or groups of devices, within Radius. As mesverrum pointed out, you should be able to use "auto-detect" when adding devices and get them assigned the right profile that way.
If an approach like this was taken, I'm curious what your pain points were.
If not using a centralized authentication server, I'd have to ask why not and what are you doing?