Hello, I'm having issues with client provisioning the browser doesn't redirect to the client provisioning portal.

it selects the employee unknown policy but does not redirect to the portal.

Thats my redirect policy on the switch

Extended IP access list REDIRECT
10 deny udp any eq bootpc any eq bootps
20 deny udp any any eq domain
30 deny ip any host 10.200.222.82
40 permit ip any any

Overview
Event 5200 Authentication succeeded
Username tempadmin
Endpoint Id 70:5A:0F:2A:47:DE
Endpoint Profile HP-Device
Authentication Policy Wired >> Dot1x
Authorization Policy Wired >> Employee_Unknown
Authorization Result Employee_Unknown

Authentication Details
Source Timestamp 2020-10-23 10:48:31.284
Received Timestamp 2020-10-23 10:48:31.284
Policy Server -ISE-PAN
Event 5200 Authentication succeeded
Username tempadmin
Endpoint Id 70:5A:0F:2A:47:DE
Calling Station Id 70-5A-0F-2A-47-DE
Endpoint Profile HP-Device
IPv4 Address 10.100.105.53
Authentication Identity Store -AD
Identity Group Profiled
Audit Session Id 0AC8D0640000005F15372ECA
Authentication Method dot1x
Authentication Protocol PEAP (EAP-MSCHAPv2)
Service Type Framed
Network Device Test
Device Type All Device Types#Wired
Location All Locations#-HQ
NAS IPv4 Address 10.200.208.100
NAS Port Id GigabitEthernet1/0/10
NAS Port Type Ethernet
Authorization Profile Employee_Unknown
Posture Status Pending
Response Time 27 milliseconds

Other Attributes
ConfigVersionId 131
DestinationPort 1812
Protocol Radius
NAS-Port 50110
Framed-MTU 1500
State 37CPMSessionID=0AC8D0640000005F15372ECA;38SessionID=-ISE-PAN/392570377/26124;
NetworkDeviceProfileId b0699505-3150-4215-a80e-6753d45bf56c
IsThirdPartyDeviceFlow false
AcsSessionID -ISE-PAN/392570377/26124
SelectedAuthenticationIdentityStores -AD
SelectedAuthenticationIdentityStores Internal Users
SelectedAuthenticationIdentityStores Internal Endpoints
AuthenticationStatus AuthenticationPassed
IdentityPolicyMatchedRule Dot1x
AuthorizationPolicyMatchedRule Employee_Unknown
EndPointMACAddress 70-5A-0F-2A-47-DE
EapChainingResult No chaining
ISEPolicySetName Wired
IdentitySelectionMatchedRule Dot1x
AD-User-Resolved-Identities tempadmin@.go.tz
AD-User-Candidate-Identities tempadmin@.go.tz
AD-User-Join-Point .GO.TZ
AD-User-Resolved-DNs CN=tempadmin,OU= Systems Mail Accounts,OU=,DC=,DC=go,DC=tz
AD-User-DNS-Domain .go.tz
AD-Groups-Names .go.tz//-vendor
AD-Groups-Names .go.tz/Users/Domain Computers
AD-Groups-Names .go.tz/Users/Domain Users
AD-User-NetBios-Name
IsMachineIdentity false
UserAccountControl 512
AD-User-SamAccount-Name tempadmin
AD-User-Qualified-Name tempadmin@.go.tz
TLSCipher ECDHE-RSA-AES256-GCM-SHA384
TLSVersion TLSv1.2
DTLSSupport Unknown
HostIdentityGroup Endpoint Identity Groups:Profiled
Network Device Profile Cisco
Location Location#All Locations#-HQ
Device Type Device Type#All Device Types#Wired
IPSEC IPSEC#Is IPSEC Device#No
ExternalGroups S-1-5-21-1599665614-3669406812-1110840323-2730
ExternalGroups S-1-5-21-1599665614-3669406812-1110840323-515
ExternalGroups S-1-5-21-1599665614-3669406812-1110840323-513
IdentityAccessRestricted false
RADIUS Username tempadmin
Device IP Address 10.200.208.100
CPMSessionID 0AC8D0640000005F15372ECA
Called-Station-ID 3C:41:0E:F2:25:0A
CiscoAVPair service-type=Framed,
audit-session-id=0AC8D0640000005F15372ECA,
method=dot1x

Result
Class CACS:0AC8D0640000005F15372ECA:-ISE-PAN/392570377/26124
EAP-Key-Name 19:5f:92:b4:95:d8:40:2d:e6:77:f4:f2:70:5b:16:8d:0d:1f:48:96:12:4b:58:83:95:8c:e8:2a:1b:00:42:c6:8a:15:15:99:c5:86:5d:df:a3:b1:e9:06:23:be:4b:ea:0a:3d:2e:a8:80:d7:f4:92:6a:35:cf:65:2c:c5:10:64:e1
cisco-av-pair url-redirect-acl=REDIRECT
cisco-av-pair url-redirect=https://-ISE-PAN..go.tz:8443/portal/gateway?sessionId=0AC8D0640000005F15372ECA&portal=44fd6796-4ebf-40d3-a24d-afbbedd3fb10&action=cpp&token=03597e29565b2137685b0afa4f056ac3
MS-MPPE-Send-Key ****
MS-MPPE-Recv-Key ****
LicenseTypes Base license consumed

Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP - DEVICE.Device Type
11507 Extracted EAP-Response/Identity
12100 Prepared EAP-Request proposing EAP-FAST with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12301 Extracted EAP-Response/NAK requesting to use PEAP instead
12300 Prepared EAP-Request proposing PEAP with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318 Successfully negotiated PEAP version 0
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12808 Prepared TLS ServerKeyExchange message
12810 Prepared TLS ServerDone message
12811 Extracted TLS Certificate message containing client certificate
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12318 Successfully negotiated PEAP version 0
12812 Extracted TLS ClientKeyExchange message
12813 Extracted TLS CertificateVerify message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12310 PEAP full handshake finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12313 PEAP inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
15041 Evaluating Identity Policy
22072 Selected identity source sequence - Basic_Internal
15013 Selected Identity Source - -AD
24430 Authenticating user against Active Directory - -AD
24325 Resolving identity - tempadmin
24313 Search for matching accounts at join point - .go.tz
24319 Single matching account found in forest - .go.tz
24323 Identity resolution detected single matching account
24343 RPC Logon request succeeded - tempadmin@.go.tz
24402 User authentication against Active Directory succeeded - -AD
22037 Authentication Passed
11824 EAP-MSCHAP authentication attempt passed
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response
11814 Inner EAP-MSCHAP authentication succeeded
11519 Prepared EAP-Success for inner EAP method
12314 PEAP inner method finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
24715 ISE has not confirmed locally previous successful machine authentication for user in Active Directory
15036 Evaluating Authorization Policy
24209 Looking up Endpoint in Internal Endpoints IDStore - tempadmin
24211 Found Endpoint in Internal Endpoints IDStore
24432 Looking up user in Active Directory - -AD
24355 LDAP fetch succeeded - .go.tz
24416 User's Groups retrieval from Active Directory succeeded - -AD
15048 Queried PIP - -AD.ExternalGroups
15048 Queried PIP - Session.PostureStatus
15016 Selected Authorization Profile - Employee_Unknown
22081 Max sessions policy passed
22080 New accounting session created in Session cache
12306 PEAP authentication succeeded
11503 Prepared EAP-Success
11002 Returned RADIUS Access-Accept