Is it possible to use tcp port 443 for the ISE guest portals (hotspot, self-register, etc)? Typically the port range for guest portals are TCP/8000-8999 (default port is TCP/8443). If not, is there a way to make it work, without say using a load-balancer to proxy port 443 on the frontend to 8443 on the backend?
You might need to delve into the requirement a bit more to determine what the justification is. The connection still HTTPS, so it provides the same level of security.
Even with another device in front to port forward, this would be difficult to accomplish as the port is sent in the URL redirect from ISE to the NAD, which then presents it to the client. You would have to intercept the RADIUS session between ISE and the NAD and rewrite the redirect URL that the NAD would then push to the client.