What WLC version and APSP are you seeing that on?

WLC: C9800-CL - 17.12.1 / APs: C9136I-ROW

Maybe think about upgrading to 17.12.3 - there are quite a lot of bug fixes in 17.12.2 and 17.12.3:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/release-notes/rn-17-12-9800.html#resolved-caveats-for-cisco-ios-xe-dublin-17.12.3
And that's only the more serious bugs which Cisco decided to list in the release notes.  In fact there are a whole lot more which are not listed there.

We are considering upgrading to 17.12.3. We are just waiting Cisco become it recommended version that I think it will be soon.

---

@listcsbgnetsecurity wrote:
We are just waiting Cisco become it recommended version that I think it will be soon.

---

Don't wait for Cisco.  We are dumping 17.9.X and are about to start going to 17.12.3 -- And I am talking about routers, switches and WLC.  17.9.X is a flaming train wreck.  We've got so many TAC cases around this train and a lot of the workarounds have been "reboot AP, switches, routers" that it is no longer funny.

17.12.1 for the controller version. Unfamiliar with the APSP terminology. Is that a separate number than the WLC code train? 

APSP means AP Service Pack.  This is a patch for the AP. 

SMU means Software Maintenance Update and this is a patch for the WLC.

We haven't applied any service packs or anything other than just upgrading the controller (then subsequently the AP's) to whatever the default service pack would be for controller code 17.12.1.

Not all SMU/APSP is good. 

Take, for example, 17.9.4a APSP8.  Installing APSP8 will cause more damage because it was not tested at all.  Instead of fixing, the APSP8 introduced more catastrophic bug like CSCwj45141 & CSCwi96176 (and a lot more).

It is a balancing act to follow recommendations from TAC blindly or to think smart.  

Justo to inform and keep you apprised, we started facing the issue again last week and we decided to upgrade our WLC / APs to 17.12.3 IOS-XE version. I will let you know about results. 

I have received numerous reports as of recently that the issue was gone all summer when the campus was quiet and only 5% of our user base was on site.

However, now that our user base has returned, reports of this issue have increased exponentially. 

I am currently on WLC version 17.12.2 at the moment. 

Yes I have, the ISE nodes have absolutely zero indication of a failure. As far as ISE is concerned, the client only has its previous successful authentication. Nothing about a new, failed one when the client experiences an issue. This is what lead me to believe it was iPhone keychain related somehow, but I have no proof. All I have is a wide-scale problem that 'doesn't happen at home' for these users.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwe81775
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwk36229
I would upgrade to 17.12.4 and then see if the problem goes away.