So with regard to roles, am I most concerned with the initial role or the authenticated role? It seems to me that authentication is working fine. I have three impacted SSIDs - Corporate (802.1X), iPad (MAC) and Guest (Captive Portal). In all three SSIDs, if I enter a static IP in the correct subnet, I can connect as expected. Further, the issue has been "corrected' by using the controller's DHCP server which would indicate to me that the authentication is working and we should be moving out of the initial role.
So working with my Corporate SSID
initial role = logon
802.1X Authentication Default Role = authenticated
user-role logon
access-list session logon-control
access-list session captiveportal
access-list session vpnlogon
access-list session v6-logon-control
access-list session captiveportal6
!
user-role authenticated
access-list session allowall
access-list session v6-allowall
!
ip access-list session allowall
any any any permit
ipv6 any any any permit
!
ip access-list session v6-allowall
ipv6 any any any permit
!
ip access-list session logon-control
user any udp 68 deny
any any svc-icmp permit
any any svc-dns permit
any any svc-dhcp permit
any any svc-natt permit
!
ip access-list session captiveportal
user alias controller svc-https dst-nat 8081
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
user any svc-http-proxy1 dst-nat 8088
user any svc-http-proxy2 dst-nat 8088
user any svc-http-proxy3 dst-nat 8088
!
ip access-list session vpnlogon
user any svc-ike permit
user any svc-esp permit
any any svc-l2tp permit
any any svc-pptp permit
any any svc-gre permit
any any udp 4500 permit
!
ip access-list session v6-logon-control
ipv6 user any udp 68 deny
ipv6 any any svc-v6-icmp permit
ipv6 any any svc-v6-dhcp permit
ipv6 any any svc-dns permit
!
ip access-list session captiveportal6
ipv6 user alias controller6 svc-https captive
ipv6 user any svc-http captive
ipv6 user any svc-https captive
ipv6 user any svc-http-proxy1 captive
ipv6 user any svc-http-proxy2 captive
ipv6 user any svc-http-proxy3 captive