DHCP profiling - the idea is for Clearpass to put unprofiled devices into a role that allows DHCP, and when Clearpass profiles the device, it will automatically trigger a COA that should force the client to re-authenticate, upon which role-mapping can now use the information in the endpoint profile to make a different decision on user role.
When the switch receives the COA disconnect, the L3 user session gets removed from the switch, but we have phones that won't attempt DHCP again until a timeout value on the phone is exceeded - appears to be about 4 minutes. Doing a COA that bounces the POE state on the port would force the phone to reboot and it would get the proper user-role much more quickly.
This problem should only occur one time in any case because it only happens the first time a device is profiled, unless it hasn't been connected to the network in a long time and Clearpass has purged the endpoint out.
We moved away from doing role assignment by DHCP profiling for now in any case, we have other devices that don't deal well with having the L3 session removed via COA, maybe actually bouncing the port state would work better, and if doing that actually bounces POE as well, as suggested above, that would be a solution to our problem.
We're using MAC-auth for these types of devices until we can test profiling more thoroughly (also have the issue of false matches for profile fingerprints).