Hi

I have a strange issue and no doubt I'm missing something basic but it has me scratching my head.

I've been playing around with Guest portals.  I have Guest 1 on Gig1 and Guest 2 on Gig 2.  In my authorization profile I supply the portal IP address to bypass DNS resolution.  The policy is pretty simple.  The authentication rule checks Guest Users and has the options set to Auth fail and User not found to continue.  The Authorization policy is as standard.  The first rule matches Wireless MAB and Guest flow then permits.  The second rule matched MAB and the SSID name and invokes an authorization profile pointing to the Guest Self register portal.  The portal is enabled on Gig1 and the profile applies a redirect ACL that is on the WLC and the Guest self register portal is chosen.  

I've been testing this over the last few days.  I know my redirect ACL is good as it's not changed from when it was working.  Prior to a test connection I delete the client from the Context visibility - Endpoints area and I make sure the WLC doesn't have the client as connected.  I then try to connect.  This time the client just connects.  No redirection attempted.  When I look in the ISE live logs it says the client is authenticated based on their MAC address and the correct redirect URL has been sent.  But my clients never redirect anymore.

I have done this lots of times before and the usual issue I have to solve is the client gets redirected but can't get to the portal for some reason.  I can usually fix that no problem.  This time it just lets the client on and in the WLC log it has been authenticated based on the MAC.  I see the following in the ISE logs

So I expect the client to be redirected to allow me to enter credentials and then the registered username is what is successfully authenticated for access on the ISE and WLC.

Anyone have any ideas on this one?

Thanks, Kev.