Correction @Leo Laohoo 
9172I requires 17.15.2b or 17.5.3 and later. 
9172H will require 17.17.1 or later (meaning 17.17.1 until 17.18.1 is released in a few months).
We'll find out what the new models need when they are released.

Warning: there's an undocumented change in behaviour between 17.15.2 and 17.15.3 for 802.11be (WiFi 7): older/weaker AKM was allowed on WPA3 WLANs on 17.15.2 (not strictly compliant with the standard).  If you upgrade to 17.15.3 the config is still allowed but the standard is enforced on client association so any client attempting to associate with 802.11be and using a weaker AKM will quietly fail association and never be able to associate.  You must either disable 802.11be on the WLAN or remove the weaker AKM to resolve the issue.  There is a risk that some clients may not support the correct AKM.
This is actually documented in the 17.15.3 Release Notes:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-15/release-notes/rn-17-15-9800.html#behavior-change_17151
"If you have enabled 802.11be and Wi-Fi clients connect to an SSID, the SSID must be compatible with Wi-Fi 7 requirements (WPA3; if using SAE, it must be SAE-EXT or SAE/SAE-EXT). This functionality was optional in Cisco IOS XE 17.15.2, but in Cisco IOS XE 17.15.3, it is enforced." although the effect it has is not made clear.

Thanks for sharing Anand's presentation.  

He'll need to update this to include the 9179 & 9174.  

Hi Saikat
Thanks for the feedback and clarification!
1. About versioning, as you and Leo pointed out, we’ve got plans to upgrade the firmware. As long as we can manage both the old and new access points (APs) on a supported version, we should be good to go.
2. For WPA3, I think it’s best to set up the new WiFi 7 APs with a new SSID. This way, if some client devices can’t connect, they can still use the WiFi 6 APs.
3. Since not all endpoint devices support WPA3 and WiFi 7, we need to keep a few things in mind, like roaming and Power over Ethernet (PoE). I’m considering a temporary setup that shifts to WiFi 6E for now, and we can decide on the WiFi version during the next hardware upgrade. Roaming is super important for us because we’ve got some WiFi 6 outdoor APs that overlap with indoor ones, and our WiFi clients need to roam seamlessly while moving around.
4.I heard about roaming in WiFi 7, and it’s kind of interesting. A device moving from a WiFi 7 access point to a WiFi 6 might stick with the WiFi 7 network even if the signal isn’t great. So, instead of switching to the WiFi 6 AP with a better signal, it just stays connected to the WiFi 7 because it’s considered the better technology. Is that right? Have you noticed this happening in procuction?

Cheers, John

    @John.Mayer   >....A device moving from a WiFi 7 access point to a WiFi 6 might stick with the WiFi 7
                                                   Isn't that a contradiction ?

  M.

I heard this from a colleague, but I cannot confirm it since I could not find any documents to verify it.

The point is roaming decisions are always made by the client.

> So, instead of switching to the WiFi 6 AP with a better signal, it just stays connected to the WiFi 7 because it’s considered the better technology. Is that right?
The tables of Apple device preferences shared by the others will provide some explanation of how this can happen.
I can't remember the precise details but Cisco themselves saw something like this at Cisco Live Amsterdam in February 2025.  This was because they had a mix of 6E and 6 APs and (if I remember correctly) wider channels on 6GHz which caused the sub-optimal clingy behaviour. I saw my iPhone clinging to an unusable connection when I was meters line of sight from the nearest AP.  After hundreds of complaints (and Cisco staff experiencing it too) the Cisco NOC tweaked the settings for the rest of the week making a huge improvement. It might be mentioned in some of the WiFi presentation recordings later in the week.

@Nicolas Darchis may remember the exact details of the changes required to get it working reliably at Cisco Live.

Yes, the protocol being the same between wifi6 and wifi 6e APs, our problem was the wider channel in 6Ghz that was not available on wifi6 APs without 6ghz.

It should be smoother if you mix wifi7 with wifi6E where both have 6ghz but then you may have a client prefering the 802.11be protocol over 11ax.

The best when you mix is to have a clear area where you have your new APs and a clear area where you have your old. Roaming might be a bit rhough between those 2 areas but problem stays limited. If you salt 'n pepper your new APs all over the place, you risk making everyone miserable.

Thanks for confirming @Nicolas Darchis 

Thanks for sharing your thoughts @John.Mayer . I believe endpoint NIC is going to play a pivotal role to determine which one it is 'liking' the most and at what point it will move. That being said, I read this (Sec -Selection criteria for band, network and roam candidates) about apple which pretty much align with what you said. 

Another solution that comes to mind is to purchase WiFi 7 access points, such as the 9177, and only enable either the 5G or 2.4G band. This way, there won’t be any issues on the client side. We just need to ensure firmware compatibility and perform upgrades as necessary. Additionally, this approach will give us hardware that supports future features of WiFi 7. What are your thoughts?

Agreed with your idea. As long as Wifi7 features are not working, endpoints should work. Disabling 2.4Ghz is always a preferred option at any given day - unless you have some 'weird' & 'ancient' devices which only talks over 2.4.