We have a (2) node ISE cluster running version 2.6 patch 11 and are trying to set up new Cisco C9200 switches running IOS 17.6.3. We are noticing issues with our Shoretel phones that when they are connected to a port that is configured for ISE authentication/authz, they pass authc and authz but do not get a DHCP address. We are not running a "voice vlan" port configuration for the phones as the desktops do not connect to the phones and trunk through them into the switch. The phones and desktops are on their own independent ports. So far I've tried putting a desktop on the same vlan as one of the phones and it worked perfectly fine (passed authc, authz, and received an IP address from the DHCP server within the same scope that is designated for the phones). Before we started moving to Cisco C9200s, we were using C3850s with very old code on them (v3.6.4) and the phones seem to have no issues when connecting to those switches.

I am starting to think this issue is related to the phones and how they behave as DHCP clients when ISE is involved. They also use a special option (option 156) which sets a few parameters for them including the tagged VLAN. Since the port they're connected to is an access port for the VLAN they need to be on, I am wondering if this option might be causing issues with the phone receiving a DHCP address?

FYI: I also have a case open with TAC but they've been really slow at getting back to me as it doesn't count a sev 1 or 2.