Hi,
We are in the middle of a deployment of Cisco Meraki APs. We are migrating from Cisco WLC with radius authentication via ISE for Corporate LAN access via an SSID.
We are experiencing an issue where some users (not all) disconnect from the LAN to go to a meeting a connect to Wi-Fi. They should automatically connect the corporate LAN via an SSID. This would for about 80% of users. For about 20% of users they cannot connect to the LAN via an SSID as this locks out their AD account.
We have configured NAC on the AP port and it authenticates successfully on the network via ISE (3.1 Patch 3). The AP is also configured as a NAD on ISE. The users have an EAP-TLS for Wired Dot1x and PEAP for Wireless Dot1x. Retries for "Allow PEAP" and "Allow TEAP" for "Allow Password Change Retries" is "3".
Any ideas on what could solve these AD Lockout issues? 
