I am trying to get my Cisco Phone to authenticate using MAB/Profiling but having issues. I have my PC and Machine authenticating using EAP-TLS successfully.

I have disabled 802.1x on the phone.

I can see my phone under endpoint identity groups / Profiles /  Cisco-IP-Phone. 

Attached is a screenshot from Policy Set. This is also the first one in my list of policy sets. I know Radius itself is working as I can authenticate my machine and user account on a different policy set.

Port Config -

switchport access vlan 521
switchport mode access
switchport nonegotiate
switchport voice vlan 643
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input PER-PORT-MARKING
service-policy output PER-PORT-QUEUING

Some additional radius config below

radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server dead-criteria tries 3
radius-server deadtime 30

Any ideas where to look next for this? Phone just sticks at configuring IP. Authorisation profile is set to permit ip any any. Use "Database" is set to continue if user not found.