Wired Intelligent Edge

I'm troubleshooting an issue with Polycom phones not being placed in the voice VLAN after authenticating on untrusted MAS ports.  As the MAS guide states, you can't apply a VOIP profile in an interface group if the port is untrusted, so we're sending a phone role from clearpass that includes a reference to a voip profile that already exists on the switch.  The phone stays in the VLAN specified in the interface group's switching profile and never switches over to the voice VLAN.  If you look up the MAC in the MAC table, it says the MAC is in the voice VLAN, yet if you 'show arp' the MAC is in the switching profile's VLAN.

Before we switched to untrusted ports, these phones worked on the VOIP VLAN flawlessly.  The VOIP profile had static mode set and was applied to the interface group's switching profile.  Not sure why doing authentication on the ports has introduced a problem.  We're doing exactly as the user guide instructs: send a role to the switch and specify the VOIP profile in the role.  Not sure what else there is to do.  I'm wondering if this is a bug.  Any thoughts?

The phone may have a workstation plugged into it and we want VLAN separation of the two devices.

So then what's the point of using a voip profile on an untrusted port?  I assumed this was the only way to associate two devices on the same port to different VLANs.

Still though, the point is that this should work but it doesn't. :(