Also, run the following to identify why the iPhone is in the "Deny" role it is.
show aaa state user x.x.x.x (IP of user in question)
Look for the Role Derivation line:
Name: chris, IP: 192.168.13.152, MAC: 40:0e:85:01:b5:69, Role: secure.user.all, ACL: 60/0, Age: 00:06:26
Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-PEAP, server: cppm-1.lab.net
Authentication Servers: dot1x authserver: cppm-1.lab.net, mac authserver:
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: default for authentication type 802.1x
VLAN Derivation: Default VLAN
Idle timeout (global): 300 seconds, Age: 00:00:00
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
..........................