Network Layout: 2 - Foreign Controllers (1 is in production and 1 is in QA - slated to be the new production) so I am migrating from production to the new controller. 1 - Anchor controller with mobility anchored to both Foreign controllers for guest. 1 - ISE 1.2 server in production and provides guest portal for current production controller. 1 - ISE 2.1 server in QA and will have have the 1.2 migrated over. 2 - Distinct SSIDS on the controllers for guest. 1 - SSID has the AAA server of the 1.2 server and the other SSID has the AAA server of the 2.1 server.

Problem: My current guest portal is on 1.2 and authenticates our guest via CWA with no problem. Using the 2.1 server, anchor controller and new foreign controller I created a new ssid to test the 2.1 guest portal. The problem is I cannot get the new guest portal on the 2.1 server to work. I have followed multiple documents to configure guest, but it still does not work. When I connect to the guest portal I attach to the ssid, client shows connected on both controllers and on the anchor controller I have a NAC State of CENTRAL_WEB_AUTH . The webpage comes up, but never loads and finally errors out with a time out error.

Troubleshooting: I did a debug and what I found is that even though my policy sets on the 2.1 server are setup to push down the url for the 2.1 server for some reason I am seeing hits on my production foreign controller and getting the guest url from the 1.2 server portal.

Question: Is it possible to use an anchor controller to serve up 2 guest portals with 2 seperate ISE servers using separate policies? Isn't the guest request determined by the cisco-av-pair url pushed to the client via the Authorization Policy? Does the anchor controller have any participation in what guest portal a client should use?

Any help would be greatly appreciated.

Bret