Do the phones do 802.1X username/password or Certificate authentication? In order to perform the logic of device type, the authentication has to succeed first. That authentication needs to be validated somehow, and after then you can use role mapping or enforcement policy to say "Device Category = VoIP Phone" to then assign a VLAN or dACL (cisco).
If you do MAC-based Authentication, you can do Allow All MAC Auth, and do the same logic. If you have computers connected behind the phones, and your using Cisco, make sure you configure Multihost (forget actual name, it's Multi something)