Just so I understand, if your enviroment despite the user matching the correct Service and the correct Enforcement Profile is assigned (confirmed in Access Tracker) the client is not assigned VLAN 7?
If you run the command 'show user [MAC or IP]' on the controller. It will help identify which VLAN and how that VLAN was assigned.
For example:
Role Derivation: ROLE_DERIVATION_INITIAL_ROLE
VLAN Derivation: Default VLAN
Vlan default: 10, Assigned: 10, Current: 10 vlan-how: 1 DP assigned vlan:0
**EDIT** Can you also post your Enforcement Profile for the VLAN8 & VLAN9? As you can see below (this is for a wired authentication but the concept is the same). Depending on my Tips role (determine by profiling the device in this case), I assign a VLAN based on its context.