If you check number of clients on 2.4 GHz vs. 5 GHz, what is the distribution on the APs near the clients? Typically, the vast majority if not all of them will be on 5 GHz (assuming relatively modern and capable clients and dual band SSID), so if most/all are on 2.4 GHz, you may be having the issue described in this post: https://community.cisco.com/t5/wireless/how-monitor-cisco-ap-load/m-p/5210173/highlight/true#M276657

If so, try rebooting the APs.

  - The basic  c9800-40 configuration check is always useful , also after upgrades :
     Use the CLI command show tech wireless , not simple 'show tech' and feed the output from that into 
     Wireless Config Analyzer
     You will get lots of stuff and parameters to look into which could be related;==> This is so good

      Use https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217738-monitor-catalyst-9800-kpis-key-performa.html#anc5
      to follow up on overall client behavior , obtaining stats , and possibly getting further insights

      - Best DHCP setup is described in https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-best-practices.html#DHCPbridgingandDHCPrelay

  M.

Disable 802.11k, v r.  

If this works, then it could be CSCwm00078.

Thank you guys for all the replies and suggestions.

Yes, it's only apple devices, latest update from custom support is that it seems to be Sonoma and Sequoia on Mac Books, aswell as late versions of iOS on iPhones.
But it's also far from all, it do work for the majority, I can see in the controller that we have a bunch of MacBooks from 2020-2023 connected, aswell as iPhones and "Apple Devices", I also noticed some that connected as "Unknown device".

No, we're not using ISE as radius server, I'm not in charge of the radius server, but ye if that's the reason I will have him look if he can see anything in the logs.

Learned the hard way you have to use show tech wirelesss, I do have that output from after the upgrade, but all show tech I got from before is without wireless sadly.

We're routing the vlan for this SSID on a router, so ip helper is set over there, hasn't been an issue before, maybe this should be moved to the wlc?

Will definietly look into those monitor commands, thanks!

Starting with trying to disable k and v, r has always been off since we tried adaptive ft and haven't really had the time to troubleshoot why that isn't working since then, also apple devices having issues that time.

One thing I'm trying first is disabling OKC, I really can't recall if this was enabled in 17.9.3.
But if I understand that correctly it caches keys for encryption, maybe there is some issue here with WNCD roaming or something?
Our Site-Tag design has needed some work since the start, but lack of time has sadly pushed that to the future, so 2/3 of our APs are in the same Site-Tag, I did see that in 17.12.3(?) they changed how aps are deployed amongst WNCDs.
Just mentioning this because I saw in a radioactive trace a user had a bunch of client delets because of wncd raoming, probably intended, but since this has changed from our earlier version, it might be a bug there or something.

> We're routing the vlan for this SSID on a router, so ip helper is set over there, hasn't been an issue before, maybe this should be moved to the wlc?
no - keeping that on the router is the recommended option (see Best Practice link below)
And there's also a nasty bug in the helper address code for SVI on 9800 if you have more than 1 server to relay to which we have opened. CSCwm73020

Have you installed all the SMUs and latest APSP?

Im not sure if my last change was what made things work or if Apple came with a bug fix or something.
Since the last change I did was friday afternoon, and now it's been a week without any reported issues.
Most of the ones that customer support had talked to got it working now.

The last thing I did was to put dhcp required and ip helper for the vlan and ssid.
It is routed on a router, not on the WLC, so I felt like it shouldn't matter, but if someone else runs into the issue with devices not getting an IP, I guess it could be something tot try.