I have used the AireOS translator for a reference.  Not the easiest output to go through and pick out the parts.  

We don't use the Cisco provided webauth bundle.  We redirect to the external webserver for the auth page.  Have not read anywhere that the 9800 required specific coding.  On the DCs we use soely for Guest, if the client's MAC address is entered as the ID and its PW, the client never sees the WebAuth page.  We do this to support the devices that can't display web pages and for certain external customers who need to access the Guest WLAN.  If the MAC address is not entered, that is where the L3's On MAC Filter Failure kicks in and displays the the WebAuth page.   We have a custom process that user calls the phone number displayed and is presented options. The end result is the system generates a ID/PW that the user then enters on the displayed WebAuth page to gain access to the Guest WLAN.

Nothing is easy to read, but that is the additional effort folk have to go through when they plan on migrating from AireOS to the 9800's.  It's not the same so never expect it to work without making changes.  Also, there is specific coding for the reply to come back to the controller and that is why they supply templates for users to reference, modify or use.  You must of used this in AireOS and modified the html to your liking with the specific code required.  That is the same with the 9800's.  Anyway's I think you need to also look at any changes that might be required on your NPS and what logs do you see.  There are things that others might use like what @Flavio Miranda mentioned.

Maybe a good time to also open a TAC case.. I do see you have other questions on the forum also.

I'll look into @Flavio Miranda suggestion tomorrow.  The 9800 WLC config is obviously radically different than AIreOS.   My 1st time seeing it.  All my experience is with WiSM v1 up to the 5508 8.5 AireOS. Some of the 9800 config is easy.  Other screens not so much.  I just did not anticipate the Guest WLAN config to be "complicated" or possibly need changes to NPS which currently work with the 5508 Guest WLAN.  I may open a TAC case to see if they can help if I can't make any headway this week.

-Perry

Update -- I've spent entire afternoon with TAC.   He has not been able to figure it out either.   We took radioactive traces and checked logs in NPS.  We see the 9800L passing the MAC up to the NPS and the 9800L sees the MAC being sent.  

wncd_x_R0-0}{1}: [mab] [20719]: (info): [4c2e.b486.4bb7:capwap_90000005] MAB received an Access-Reject for 0x37000027 (4c2e.b486.4bb7)
2023/03/29 14:55:53.705239101 {wncd_x_R0-0}{1}: [errmsg] [20719]: (note): %MAB-5-FAIL: R0/0: wncd: Authentication failed for client (4c2e.b486.4bb7) with reason (Cred Fail) on Interface capwap_90000005 AuditSessionID FD03000A0000004F2EB9FD66

This needs to then display the custom Webauth Page we spec in the Redirect URL for login host on an external web server via On MAC Filter Failure

It's a bit frustrating as it was easy to setup in the 5508 AireOS and seems it should be straightforward here in the 9800 IOS-XE. 

Yeah.  The aireos to ios-xe converter spit out 1500 lines.  I have been going thru the AAA / Radius sections to see if there are differences.  In 9800 AAA Global config, the Radius Attributes match what is specified in the 5508.   MAC-Delimiter is hyphen.  NPS logs see the request and the radioactive trace shows the client info being sent to the NPS on the Domain Controller.  If the MAC address is in the DC as the userid/password, it should authenticate and NOT display the external WebAuth page.  I am testing with an iPad.  When trying to join the guest SSID on our production 5508, I get the WebAuth page as expected where I can enter our IT Dept "backdoor" ID/PW we use for testing.     Trying it on the 9800, I get an IP address but no external WebAuth page.   If I open a web browser and manually enter the URL, the page will display but the ID/PW Authentication does not work.

-Perry

We've got it working fine on 17.6.4 and 17.9.3 so unless it's a new bug in 17.10.1 then it must be a mistake in your config.

Why did you use 17.10.1 - is there a feature you needed?  Otherwise you should stick to 17.9.x as it's the extended support release - maybe switch to 17.9.3 to be sure?

Maybe you can share a sanitised version of your full config (all relevant parts) to check?

So does the WLC send the redirect after it gets the MAC reject from NPS? (you've said what it should do, which we know,  but not what it did do)
What exactly happened after that?
Which point does it fail at?

the 9800L came in with 17.6.   We had AP join issues - one of the TAC suggestions was to upgrade the IOS.   I mentioned that we wanted to acquire some 9166 6e APs so he mentioned trying17.10.  The upgrade did not fix the AP problem anyway.  We just stayed on 17.10.  So far, TAC has not mentioned any bug relating to the External WebAuth.

I took the aireos-to-ios conversion output and searched for and did not find any "aaa server radius dynamic-author" stmts.  

We can see the MAC failure in the radioactive traces and can see the information in the NPS Event Logs.   The WebAuth page on the external WebServer just will not display.  It works perfectly on the 5508.  I'll see where we get today with TAC and will post logs etc here if we get no progress.  

Thx

-P

17.9.3 supports the 916x APs:
 https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html#c9800-ctr-ap_support

17.10 features - in case you require any of them: 
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-10/release-notes/rn-17-10-9800.html#Cisco_Concept.dita_602a09ee-0ce9-407a-b548-043c53fd8255

I'd recommend using 17.9.3 and stay on 17.9.x for now as 17.10 will not get any bug fixes.  When 17.12 is released start planning a move to that.

CSCvt96686 is supposed to be fixed in 17.10.1
I still think you need to move to and extended support code train like 17.9

When you talk about passive and active presume you're referring to active and standby HA-SSO?
How did you "disconnect" it?
Removing standby shouldn't have any effect at all and even if you disconnected the active by mistake it should seamlessly switchover to standby.  You must have some other problem there because it should never take that long to join - are you sure the AP wasn't joining another controller?