In a distributed deployment where there is more than one PSN's how do we have a common url for guest redirection when doing a CWA (assuming no load balancer is used for the PSNs)? usually the redirection url would be 'https://<ise01.fqdn/guetsportal" or 'https://<ise02.fqdn/guetsportal" and we can only specify one in the wlc guest ssid?
When Cisco ISE builds an authorization profile redirect (for central web authentication, device registration web authentication, native supplicant provisioning, mobile device management, and client provisioning and posture services), the resulting cisco-av-pair includes a string similar to the following:
When processing this request, Cisco ISE substitutes actual values for some keywords in this string. For example, SessionIdValue is replaced with the actual session ID of the request. For eth0 interface, Cisco ISE replaces the IP in the URL with the FQDN of the Cisco ISE node. For non-eth0 interfaces, Cisco ISE uses the IP address in the URL. You can assign a host alias(name) for interfaces eth1 through eth3, which Cisco ISE can then substitute in place of IP address during URL redirection. To do this, you can use the ip host command in the configuration mode from the Cisco ISE CLI:
If you provide the FQDN-string, Cisco ISE replaces the IP address in the URL with the FQDN. If you provide only the host alias, Cisco ISE combines the host alias with the configured IP domain name to form a complete FQDN, and replaces the IP address in the URL with the FQDN. If you do not map a network interface to a host alias, then Cisco ISE uses the IP address of the network interface in the URL.
When you make use of non-eth0 interfaces for client provisioning or native supplicant or guest flows, you have to make sure that the IP address or host alias for non-eth0 interfaces should be configured appropriately in the Policy Service node certificate's SAN fields.
Why do you wan't a common url ? CWA with ISE works the way you describe yourself, ISE puts the psn hostname in the url by itself, depending on which PSN got the initial radius request from the WLC. This works just fine. If you are concerned about balancing the load between the PSN's, you should search for Aaron Wolands document on load balancing with ise here on the community pages, it's not a simple task.
Just in case i wasn't completely clear in my answer : If you do no load balancing of your PSNs, you can't have a single url for cwa guest redirect, ISE does not have any built-in load balancing feature.
The reason why load-balancing is a little tricky, is that the session id, which is part of the redirect url, is only known by the PSN that received the initial mab request from the WLC, when the client connected to the SSID. If you load-balance the guest portal, and just randomly or round-robin style redirect to a PSN, you will very likely hit one that does not know that sessionid, and your login will fail. You need to keep the client sticky to the psn that the wlc sent the radius request to.