Find out what role those users are ending up in and why.
Type "show user-table ip <ip address of user>"
The output will tell you how the user obtained that vlan and role:
Name: employee IP: 192.168.1.188, MAC: 3c:28:6d:05:c2:c9, Age: 00:00:27
Role: authenticated (how: ROLE_DERIVATION_DOT1X), ACL: 88/0
Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-PEAP, server: ClearPass
Authentication Servers: dot1x authserver: ClearPass, mac authserver:
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: ROLE_DERIVATION_DOT1X
VLAN Derivation: Default VLAN