Make sure that the Role that your user gets when he connects to the IT WLAN does not have a VLAN hardcoded. To find out why a user got the VLAN use:
show user-table ip <ip address of user>
(Aruba7005-US) # show user-table ip 192.168.1.236
Name: employee-mac, IP: 192.168.1.236, MAC: b8:c8:56:38:9d:be, Age: 00:00:37
Role: authenticated-vsa (how: ROLE_DERIVATION_DOT1X_VSA), ACL: 68/0
Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-PEAP, server: CPPM
Authentication Servers: dot1x authserver: CPPM, mac authserver:
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: ROLE_DERIVATION_DOT1X_VSA
VLAN Derivation: Default VLAN
Idle timeout (global): 300 seconds, Age: 00:00:00
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=0, mba=0, vpnflags=0, u_stm_ageout=1
Flags: innerip=0, outerip=0, vpn_outer_ind:0, download=1, wispr=0
IP User termcause: 0
phy_type: a-VHT-80, l3 reauth: 0, BW Contract: up:0 down:0, user-how: 14
Vlan default: 1, Assigned: 1, Current: 1 vlan-how: 1 DP assigned vlan:0
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, Flags=0x0
SlotPort=0x2100, Port=0x1001d (tunnel 29)
Essid: ACME-TLS, Bssid: 9c:1c:12:90:5d:92 AP name/group: Office-225/default Phy-type: a-VHT-80 Forward Mode: tunnel
RadAcct sessionID:n/a
RadAcct Traffic In 74085/20866998 Out 124929/100439424 (1:8549/0:0:318:26550,1:59393/0:0:1532:38272)
Timers: L3 reauth 0, mac reauth 0 (Reason: ), dot1x reauth 0 (Reason: )
Profiles AAA:ACME-TLS-aaa_prof, dot1x:dot1x_prof-skn93, mac: CP:n/a def-role:'logon' sip-role:'' via-auth-profile:''
ncfg flags udr 0, mac 0, dot1x 1, RADIUS interim accounting 0
IP Born: 1459803277 (Mon Apr 4 15:54:37 2016)
Core User Born: 1459803277 (Mon Apr 4 15:54:37 2016)
Upstream AP ID: 0, Downstream AP ID: 0
User Agent String: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36
HTTP based device-id info - Index: 5, Device: OS X
MAC based device-id info - Index = 197, OUI = B8E856 Group = Apple
Overall device-id info - Index: 13, Device: OS X
Max IPv4 users: 2
L3-Auth Session Timeout from Radius: 0
Mac-Auth Session Timeout Value from Radius: 0
Dot1x Session Timeout Value from Radius: 0
CoA Session Timeout Value from Radius: 0
Dot1x Session Term-Action Value from Radius: Default
Reauth-interval from role: 0
Number of reauthentication attempts: mac reauth 0, dot1x reauth 0
mac auth server: N/A, dot1x auth server: CPPM
Address is from DHCP: yes
Per-user-log pointer 0x122910c (id 539), num logs 56