We are using session reauthenticate
https://www.cisco.com/en/US/docs/ios-xml/ios/san/configuration/xe-3se/3850/san-coa-supp.pdfWe are opening a ticket with Cisco.
The NADs (especially Apple ones) don't like the CoA reauthenticate especially on WPA2-PSK enabled SSIDs. Theoretically, on an Open SSID, a disconnection is not supposed to occur with session-reauthenticate but it does or its not always consistent and get the famous "Error hotspot login error"
If you look at
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.htmlSnippet from the bottom of the article:
Note that the type of CoA returned by ISE evolved across versions. ISE 2.0 will request the WLC to re-run the authentication rather than plainly disconnect the client.
The WLC will then not send a disassociation frame to the client and will run a radius authentication again and apply the new result transparently to the client.
However, things are still different if a PSK is in use. Since 8.3, the WLC supports setting a WPA pre-shared key on a CWA SSID. In that kind of situation, upon reception of the same CoA from ISE as above, the WLC will have to trigger a new WPA key exchange again. Therefore in case of PSK, the WLC will have to send a disassociate frame to the client which will have to reconnect. In classical non-PSK scenarios, the WLC will not send a disassociate frame to the client and will simply apply the new authorization result. However an "association response" will be still sent ot the client although no "association request" was ever received from the client, which might seem curious when analyzing sniffer traces.