Wireless Access

Good day.  We have implemented WPA2 PSK and mac-authentication for wireless clients that are statically assigned IP addresses.  For this scenario, a User Role was created that blocks all IPv4 traffic and assigned to the Initial Role, and the "Authenticated" role was assigned to the Mac authentication default role.  The Mac authentication default role is used if no valid role is returned from the ClearPass server.  This seems to have worked so far during testing as a wireless test client assigned with a static IP address successfully authenticated to the WLAN and was able to ping the default gateway.

My question is would these same roles be valid when used with wireless clients that are assigned IP addresses via a DHCP server?  I am just not exactly sure when communication between the wireless client and the DHCP occurs and not sure if our Initial Role that blocks all IPv4 traffic will cause the wireless client to fail obtaining an IP address.  Any insights?  Thanks in advance...

DHCP will work after the client is MAC Authenticated. I have worked with customers that deny all traffic in the initial role, and allow it after mac authentication because they do not want multiple IP entries in the user-table for a single device. You should be safe denying traffic on the initial role, and allowing traffic to a DHCP server in the final role.