I have a configuration AIR-CAP3702E connected to 3850. On 3850 there are VLANs 102 and 110 exist, both have "ip helper-address" and no ACL.

AP config:

version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec year
service password-encryption
!
hostname AP-3702-01
!
!
logging count
logging userinfo
logging buffered 512000
logging rate-limit console 9
!
aaa new-model
!
!
aaa group server radius WiFiRadiusServers
server name russt-unix-ss
ip radius source-interface BVI1
!
aaa authentication login default local
aaa authentication login wifi_login group WiFiRadiusServers
aaa authorization console
aaa authorization exec default local if-authenticated
aaa accounting suppress null-username
aaa accounting update periodic 10
aaa accounting network WiFi_New start-stop group WiFiRadiusServers
!
!
!
!
!
aaa session-id common
no ip cef
!
!
!
!
dot11 pause-time 100
dot11 syslog
dot11 vlan-name InternetApple vlan 102
dot11 vlan-name TewtWiFi vlan 110
!
dot11 ssid test1
vlan 110
authentication open eap wifi_login
authentication network-eap wifi_login
authentication key-management wpa version 2
mbssid guest-mode
!
dot11 ssid test2
vlan 102
authentication open eap wifi_login
authentication network-eap wifi_login
authentication key-management wpa version 2
mbssid guest-mode
!
!
!
power inline negotiation prestandard source
no ipv6 cef
!
!
!
!
ip tftp source-interface BVI1
ip ftp source-interface BVI1
bridge irb
!
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 102 mode ciphers aes-ccm
!
encryption vlan 110 mode ciphers aes-ccm
!
encryption mode ciphers aes-ccm
!
ssid test1
!
ssid test2
!
antenna gain 0
stbc
mbssid
packet retries 64 drop-packet
channel 2412
station-role root
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio0.102
encapsulation dot1Q 102
no ip route-cache
bridge-group 102
bridge-group 102 subscriber-loop-control
bridge-group 102 spanning-disabled
bridge-group 102 block-unknown-source
no bridge-group 102 source-learning
no bridge-group 102 unicast-flooding
!
interface Dot11Radio0.110
encapsulation dot1Q 110
no ip route-cache
bridge-group 110
bridge-group 110 subscriber-loop-control
bridge-group 110 spanning-disabled
bridge-group 110 block-unknown-source
no bridge-group 110 source-learning
no bridge-group 110 unicast-flooding
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 102 mode ciphers aes-ccm
!
encryption vlan 110 mode ciphers aes-ccm
!
encryption mode ciphers aes-ccm
antenna gain 0
stbc
mbssid
packet retries 64 drop-packet
channel width 80
channel 5180
station-role root
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!

interface Dot11Radio1.102
encapsulation dot1Q 102
no ip route-cache
bridge-group 102
bridge-group 102 subscriber-loop-control
bridge-group 102 spanning-disabled
bridge-group 102 block-unknown-source
no bridge-group 102 source-learning
no bridge-group 102 unicast-flooding
!
interface Dot11Radio1.110
encapsulation dot1Q 110
no ip route-cache
bridge-group 110
bridge-group 110 subscriber-loop-control
bridge-group 110 spanning-disabled
bridge-group 110 block-unknown-source
no bridge-group 110 source-learning
no bridge-group 110 unicast-flooding
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 10
bridge-group 10 spanning-disabled
no bridge-group 10 source-learning
!
interface GigabitEthernet0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet0.102
encapsulation dot1Q 102
no ip route-cache
bridge-group 102
bridge-group 102 spanning-disabled
no bridge-group 102 source-learning
!
interface GigabitEthernet0.110
encapsulation dot1Q 110
no ip route-cache
bridge-group 110
bridge-group 110 spanning-disabled
no bridge-group 110 source-learning
!
interface BVI1
mac-address 58ac.78d1.49dc
ip address 10.10.10.231 255.255.255.0
ip route-cache same-interface
no ip route-cache
!
ip default-gateway 10.10.10.2
ip forward-protocol nd
no ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip ssh rsa keypair-name SSHkeys
ip ssh version 2
ip radius source-interface BVI1
!
logging trap notifications
logging facility local5
logging source-interface BVI1
logging host 10.10.0.24
!
radius server russt-unix-ss
address ipv4 10.10.0.33 auth-port 1812 acct-port 1813
timeout 2
retransmit 3
pac key 7 xxx
!
bridge 1 route ip

When I connect to "test1" all ok.

When I connect to "test2" all ok.

When I add Freeradius reply attributes:

update reply {
Tunnel-Type := 13
Tunnel-Medium-Type := 6
Tunnel-Private-Group-Id := 110
}

And connecting "test1"

All works fine, I see these attributes on access point during debug. Cisco honors them and apply. But do no changes because VLAN isn't changed.

When I add Freeradius reply attributes:

update reply {
Tunnel-Type := 13
Tunnel-Medium-Type := 6
Tunnel-Private-Group-Id := 102
}

And connecting "test1"

I see these attributes on access point during debug. Cisco honors them and apply. I see that bridge id changed in

show dot11 assos mac

also changed VLAN to 102.

But I can't obtain address through DHCP. I see DHCP discover, than I see DHCP offer. But I suppose cisco AP doesn't send offer to client by some reason. Can't find any reason though. There is no DHCP request or ACK. All stopped with offer.

May be there is some tricks which I forgot?

My suppose that cisco sends discover to VLAN 102, but maybe bug or something and she sends offer to VLAN 110? But we all no that cisco doesn't have bugs ) So I suppose that I miss something.

DHCP log:

Sep 10 15:32:02 test-unix dhcpd[31032]: DHCPDISCOVER from ec:0e:c4:04:be:0b (NotePod) via 10.10.102.1
Sep 10 15:32:03 test-unix dhcpd[31032]: DHCPOFFER on 10.10.102.192 to ec:0e:c4:04:be:0b (NotePod) via 10.10.102.1
Sep 10 15:32:06 test-unix dhcpd[31032]: DHCPDISCOVER from ec:0e:c4:04:be:0b (NotePod) via 10.10.102.1
Sep 10 15:32:06 test-unix dhcpd[31032]: DHCPOFFER on 10.10.102.192 to ec:0e:c4:04:be:0b (NotePod) via 10.10.102.1
Sep 10 15:32:10 test-unix dhcpd[31032]: DHCPDISCOVER from ec:0e:c4:04:be:0b (NotePod) via 10.10.102.1
Sep 10 15:32:10 test-unix dhcpd[31032]: DHCPOFFER on 10.10.102.192 to ec:0e:c4:04:be:0b (NotePod) via 10.10.102.1