This is Functioning As Designed. From the D2 CLI guide:
Configuring User + IP Phone Authentication
User + IP phone authentication is a legacy feature that allows a user and their IP phone to both use a single port on the switch but to have separate policy roles. The user’s PC and their IP phone are daisy‐chained together with a single connection to the network.
Note: The only multi-user authentication supported on the D2 is User + IP Phone. The IP phone and the user may authenticate using 802.1x or MAC authentication.
With ʺUser + IP Phoneʺ authentication, the policy role for the IP phone is statically mapped using a policy admin rule which assigns any packets received with a VLAN tag set to a specific VID (for example, Voice VLAN) to an specified policy role (for example, IP Phone policy role). Therefore, it is required that the IP phone be configured to send VLAN‐tagged packets tagged for the “Voice” VLAN. Refer to the Usage section for the command “set policy rule” on page 12‐10 for additional information about configuring a policy admin rule that maps a VLAN tag to a policy role.
Note that if the IP phone authenticates to the network, the RADIUS accept message must return null values for RFC 3580 tunnel attributes and the Filter‐ID.
The second policy role, for the user, can either be statically configured with the default policy role on the port or dynamically assigned through authentication to the network (using a RADIUS Filter‐ID). When the default policy role is assigned on a port, the VLAN set as the portʹs PVID is mapped to the default policy role. When a policy role is dynamically applied to a user as the result of a successfully authenticated session, the “authenticated VLAN” is mapped to the policy role set in the Filter‐ID returned from the RADIUS server. The “authenticated VLAN” may either be the PVID of the port, if the PVID Override for the policy profile is disabled, or the VLAN specified in the PVID Override if the PVID Override is enabled.