Thanks for your answer
The status of the client on my wlc after being authenticated still
url-redirect, not change
Here is my ISE authorization policies

Thanks

Please be aware of this:

An issue with FlexConnect APs is that you must create a FlexConnect ACL separate from your normal ACL. This issue is documented in Cisco Bug CSCue68065 and is fixed in Release 7.5.  In WLC 7.5 and later, only a FlexACL is required, and no standard ACL is needed. The WLC expects that the redirect ACL returned by ISE is a normal ACL. However, to ensure it works, you need the same ACL applied as the FlexConnect ACL.

Yes, I have.

The problem is the normal ACL  doesn't work but Flexconnect ACL works on Access Point.

I think on Cisco ISE, url-redirect-acl is Flexconnect ACL on WLC and Airespace-ACL-Name is normal ACL on WLC.

In my Web_Redirect Authorization Profile, i configured url-redirect-acl is cwa_redirect which is a Flexconnect ACL on WLC, and my user can be rediected to Portal Web Authentication. WirelessPermitAll Authorization Profile, Airespace-ACL-Name is PERMIT_ALL, which is a normal ACL in WLC, normal ACL doesn't work, my user have no permision after authened.

So on WirelessPermitAll Authorization Profile, i didn't use Airespace-ACL-Name, i used url-redirect-acl is Flex_PERMIT_ALL ACL, i means don't redirect, my user can connect to internet. I known it's odd.

When i showed access-list on AP, I only saw Flexconnect ACL.
How do i fixed the problem? How do i make normal ACL of WLC work on
AccesPoint (on Flexconnect mode)?

Did you check this?

The WLC expects that the redirect ACL returned by ISE is a normal ACL. However, to ensure it works, you need the same ACL applied as the FlexConnect ACL

In fact, the guide you used at the beginning mentions the same thing from the link I provided to you about having the EXACT same ACL for redirect (including name) in the WLC ACL and the Flexconnect ACL. I am wondering if you verified this part.