As said, IP Phone will start sending untagged traffic initially, after it learns via CDP about the voice VLAN it will start sending tagged traffic so the switch will put the Phone in the proper VLAN in the end.
You have a chicken-egg-issue: to apply the dACL on the port the switch needs to learn the IP address of the connected device (so until that happens, all IP traffic is blocked from the device), while to get an IP address via DHCP the device needs to be able DHCP traffic in the network; so configure a pre-auth ACL in which you allow DHCP traffic, however depending on the code you're running on the switch, there is a default pre-auth ACL applied which allows DHCP traffic, read here about "Default ACL Used for 802.1x": http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/119374-technote-dacl-00.html
I changed both of the static ACL on the g0/8 and the dACL on the ISE and add "permit udp any any" to them. despite now I have hits on the ACL, but still nothing works. the phone doesn't get any IP from the DHCP server, but my pc get authenticated with no problem. when I took a look at the mac address-table on switch, I saw this:
Switch(config-if)#do sh mac address-ta dy inter g0/8
Mac Address Table
Vlan Mac Address Type Ports
---- ----------- -------- -----
500 38ed.1855.787c DYNAMIC Drop
the mac belongs to the phone. as you might notice, the mac address of the pc is not on the table, but I have access from the pc to the network and even ISE shows that the PC passed authentication and authorization successfuly. but the mac address of the phone dispaled as "Drop" in the voice vlan 500. the output of the "sh ip device track all" on the switch revealed just the mac address of the PC in data vlan.
I'm getting disappointed on this. because I'm working on this very issue more than 2 months, and despite all of the efforts and recommendations, I still didn't managed to resolve this simple problem.