Here is what I would recommend:

1. Create a new policy set and name it "Wireless-Name_of_SSID"

2. For matching condition for that rule I would match it against the "Airspace ID" (taken from the controller"

3. I would set the default authorization rule to CWA

4. Then I would place the appropriate guest authorization rules above that

5. Remote the rules from the default policy set

That way a user associates to the guest SSID would first hit the CWA rule which would force web redirection to the guest portal. Then after the user logins, she/he would hit one of the rules that you created in step #4

Hope this helps

Thank you for rating helpful posts!

As i understand I must create new authorization rules name Guest ssid then create new condition(airspace id 2) and then i must create a permission in this new rule. which permission i must create? can i apply Sofaz_guest_wlan_cwa permission sofaz_wlan-cwa in the Guest ssid rule?

what i will do sofaz_guest_wlan and sofaz_guest-wlan_cwa autohorization rule? must i modify this rules?

Take a look at the following document. It is for an older version of ISE with no policy sets but it should still give you a good example:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc7

If the new rules are working properly you can simple delete the old rules as they will be not be required so after confirming the new rule working you should delete sofaz_guest_wlan and sofaz_guest-wlan_cwa autohorization rule.