the outdoor class 1542's required mac auth on airos,  were on 8.5.182.7  (answers Leo's question) aok.

moved to the 9800 on 17.9.4a and only 1 attached.  the failed unit was reported as auth failure and was moved back to the 5508, no issue.  

I'm, pushing the problem child the the 5520 on 8.10.185.0.  At this point I don't suspect a cert issue.

I know how to do AP mac auth in airos..  but not clear on the sequence for the 9800.  

             >...I know how to do AP mac auth in airos..  but not clear on the sequence for the 9800.
  Check this documentation : https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213916-catalyst-9800-wireless-controllers-ap-au.html

   After the 9800 controller has been configured accordingly  , have a checkup of it's configuration using the CLI command 
                                             show tech wireless and feed the output into Wireless Config Analyzer

 M.

The saga continues.   Leo, I would expect an expired cert to also block the association to the 5520.

That being said, I am logged on to the AP and changing the primary-base target between 5520 and the 9800.  as the primary object was to get the ap off the 5508, mission is accomplished. I did find a location to enter the AP mac ; Configuration, wireless, Access Points, AP Certificate Policy: Authorize Aps joining with MIC and add the mac..  but still no joy.

Console into the AP and reboot it.  
Post the entire boot-up process and attempts to join the 9800.  IF there are expired certificates, it will show up in the AP log.

Maybe you already have "config ap cert-expiry-ignore mic enable" configured on the 5508 and 5520 but you're missing the equivalent config on the 9800?

um, well yes.  Had a bunch of x700's on them.  I have a 3rd 1542 that has yet to be deployed.  testing now.

Wave 1 AP's were supported in 16.x and 17.3 code but remove above that.  However due to popular demand, they were returned in 17.9.3 and above.

That being said, the x702 series did experience cert expiration back in 22 and require temporary date reset.

My Wave1 aps work fine on 17.9.4a

Hi @aaronbrown it depends what version of code is installed on the APs.
There are some major changes to the CAPWAP protocol in recent 9800 code which are not compatible with older AireOS code.  You either need to migrate the APs to an intermediate version which supports the CAPWAP changes or pre-install the correct image on the APs.
What version is the 5508 running?
What version is the 9800 which you are migrating to running?
Have you checked the complete console logs of a failing 2702 from power on? Attach here as a .txt file.  That should help diagnose the issue.

Ah well that's the same issue David had already mentioned so assumed you had checked that.

If an AP is in bridge mode then you must configure AP authorisation of the AP MAC address on the WLC for it to be able to join.  No doubt you had already done this on the 5508 but not on 9800.  The quick and easy fix (as you mentioned) is to change the AP to local mode if mesh is not required.