I would use profiler to determine that it is an IP Phone, but if all phones have the same MAC prefix, that would technically work as well (just not prevent against MAC spoofing).
Also, I would use the [Allow All MACAuth] service, so you don't need to mark the Endpoint as 'Known', unless you have another reason to mark the endpoint Known.
In all cases so far, in such situations there was a slight difference in what is in the Access Tracker and what is tested in Enforcement or Role Mapping.
One thing that I would do, is check the MAC Prefix in a role-mapping, then during Enforcement base your decision on the assigned roles. First benefit is that you can see in Access Tracker which roles are assigned, so you quickly see that it has correctly interpreted the MAC prefix. Second is that you can easily add more prefixes to the role-mapping and/or use profiling as a second option to detect your phones.
Also, if you haven't yet, check the ClearPass Solution Guide: Wired Policy Enforcement for best practices for such a scenario. If you prefer content in video, check Aruba ClearPass Workshop - (Video series), which covers a similar scenario as well (just with profiling, not with MAC prefix, but the approach is similar).