Hi,

We recently rolled out our new SDA campus and had our Wireless in OTT due to using a single WLC for two different campuses. This was a temporary change and we are planning to roll our Wireless in SDA and separate admin domains for each WLC pair to it's dedicated sites as it's a prerequisite for SDA.

We are unfortunately facing some issues as we are very strict with separating Guest networks from Production network.
The prerequisites is that Guest portal can't be on the same ISE cluster as production and I am unable to find an adequate solution. 


1. We had an idea to simply enroll the second ISE cluster used for Wireless to an existing SDA deployment as AAA (Since Prod ISE is already integrated in DNA) as AAA can be configured per SSID. 
This of course does not work well because if we add another ISE cluster as AAA, it does not do the necessary NAD enrolment or policy. This would potentially be possible to b done manually but it adds an extra complexity and beats the purpose of having DNAC for automation. Also, we did not receive a confirmation that this would actually work in the end ) 

2. We also have a business need for features provided with SPACES and Spaces offers a captive portal that can be hosted in the cloud.
Logically, given the options to integrate spaces with DNA I would expect this should be straight forward and i can configure it as External web auth portal but it's not. I understand that this might not be supported if used with SDA and I'm wondering if this is correct and if someone found a tested workaround?