So what I showed on my picture worked as designed. That was a picture of our services > Enforcement profile.
So a new endpoint would not match anything on the enforcement profile until the very end - it would get user authenticated and wired-device-profile.
The switch port would be assigned a vlan XX and bounce the port and get an IP Address.
Next time the device comes of it gets profiled because of the IP address and assigned a new vlan according to the enforcement profile.
If you see my AP's had to be in the Endpoint Repository before getting assigned to the proper vlan. So now that it was profiled it would get the new vlan.
Here is the problem - the AP holds on to the old ip address and the port get assigned a new vlan. The port bounce by clearpass only bounce the data not the power. So the AP still has an IP from the old vlan and will only release if you remove power and plug it back in.
I had the same problem with both intercom and AP.
*********************************************************************
However, I changed my enforcement profile to say -
Connection: Client-Mac-Vendor CONTAINS Aruba - wired-wifi-guhsd
Now that device comes up and assigned the proper vlan and ip address on the first round.