Have an HA 5760 Foreign MC Pair, 5760 Anchor and a 3850 MA. All running 3.7.3E software.
Client connects to guest SSID served from AP registered to MA. Associates, gets DHCP IP address fine, but the client browser pop/prompt doesn't occur. On an iPhone if I manually open a browser and try to browse to Google, I get redirected to the Guest Portal and authentication works normal. Androids and a Windows laptop can't even do that, they get a "website can't be found" error. Anchor WLC sits in customer DMZ, so uses public DNS. Externally-sourced certificate from Digicert bound and associated to Portal's certificate group tag.
Had to leave before I got into any deep troubleshooting, but nothing struck me as odd off top of my head. The redirect ACL is below:
ip access-list extended GUEST-REDIRECT
deny udp any eq 58 any eq 57
deny udp any any eq 53
deny ip any host <ISE node IP>
permit tcp any any eq www
permit tcp any any eq 443
deny ip any any
Any thoughts or recommendations are appreciated.
Thanks,