What about if you use ISE for posture assessment using CWA or LWA for login? We are finding out this issue in our environment. coming from WLC 2504 with 10 AP's that works perfectly well for posture (*and guest wireless roaming), these new CW9166I's dont do well with posture, ISE and roaming. clients continue to randomly get de-authenticated from the network while still staying connected to the SSID. This only happens on the myRADIUS, ISE authentication settings, guest wireless WPA2, PSK is fine. If the user disconnects or disables wireless card, waits 10 seconds and reconnects the session is re-authenticated. OR If the user opens AnyConnect and selects in ISE posture (system scan) module "Block connection from untrusted servers" this also triggers a re-authentication without having to disconnect the wireless. We have attempted to change the AAA timers, setting from 1 to 10 seconds time out with a few other advanced settings tweaks that mirror our flawless WLC settings. We have attempted to set the bit rate from 12 all the way to 24 with auto tx power settings on both 2.4 and 5ghz, 6ghz is disabled currently, but some newer laptops use the AX wifi protocol. We setup a single AP test network and no drops are found. We have rebooted the AP and checked for air marshal's that might be containing the SSID. Whats interesting is if i test the old WLC network, my laptop connects to the closest AP. But if i connect to the new meraki wireless, my PC connects to the an AP further away. The logs also seem to show my PC is roaming to the same AP? "roamed from AP SSC_AP-02 then had a successful connection to SSID COMPANY-CORP for a minute on AP SSC_AP-02, and then the client roamed to AP SSC_AP-02" Since the guest wireless is in the meraki bridge mode, it drops the connection when roaming as 802.11r is not possible in bridge mode.
... View more