Proxy RADIUS server is sending Tunnel-Private-Group ID to Extreme Control. Extreme Control profile is set to "Replace RADIUS attributes", but the product does not replace attributes UNLESS the specific attribute is defined in the "RADIUS gateway attributes to send".
Extreme Control does not remove all AVPs in the RADIUS access accept packet from the proxy RADIUS server, it will only replace what it is configured to send.
The Tunnel-Private-Group ID that is sent from the Proxy RADIUS server is being sent along with the filter-id with policy string to the Identifi Controller. Since the Identifi controller is configured to accept RFC3580 (Tunnel-Private-Group ID) it assigns the policy and overrides the policy VLAN to assign the VLAN provided in the Tunnel-Private-Group ID.