Thanks Scott.  This is what I suspected.  For this to work the foreign controller, which does the iPSK/ISE part and gets the vlan assignment from ISE, would need to pass that info to the Anchor to act on.  However, all that I believe is passed to the Anchor is client info and the SSID they connect to.  The Anchor then attaches them to the interface their SSID is attached to and the client gets an IP address based on that.  It has no way of knowing the VLAN supplied in the radius response from ISE to Foreign controller.

mPSK doesn't provide enough functionality to do what we need to do.  Nor does it allow us to put the different clients with different PSK's onto different vlans.

Thanks for your input, Kev.

You seen anything on what is needed on the RADIUS side?

The WLC config guide is at: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-6/config-guide/b_wl_17_6_cg/m_epsk.html
No, we didn't set the radius up ourselves - we tested it with the Eleven service. Their config guides:
ElevenOS Setup: https://eleven.zendesk.com/hc/en-us/articles/360058743511
9800 Setup: https://eleven.zendesk.com/hc/en-us/articles/4407461199501
PPK-C EKMS New Resident Onboarding Flow: https://eleven.zendesk.com/hc/en-us/articles/4408023532813

The config guide linked to in the response just does the WLC which is pretty straight forward.  Enable Easy-PSK and use MAC filtering to point it to your radius server.  The radius server seems to be the significant part here.  What do we configure on the ISE to then return a vlan to the client based on the PSK they enter?  I thought Easy-PSK was going to allow us to onboard unknown clients.  The way I have it setup just now is pretty much like iPSK.  A MAB is done for a client and based on some info from that client I return a PSK.  So I took the 1st part of the MAC and matched it to a vendor.  Then I returned a vlan and PSK.  However, I thought the point of this was not needing to know the client or their MAC beforehand.  Depending on the PSK the client submits I thought we could get the ISE to return a vlan.  So I issue PSK-1 to company A.  They use that, a MAB request is done and based on the provided PSK I return the vlan.  No previous knowledge of the client or the vendor of their device.  I can then issue further PSK's do different companies and when they use their key they get a different vlan.  Is that how Easy-PSK is supposed to work ?

What do we match on in the radius rule to then return a vlan (and PSK) to the WLC/client?

EasyPSK works and I have been using it for nearly a year now.  The problem is the need for something other than ISE to handle the dynamic registration MAC addresses to user IDs and to enforce PSK uniqueness.  There are third-party radius products that can do this when integrated with Cisco IOS-XE 17.6+ based controllers.

@casanavep I already mentioned the service we tested it with above (Eleven).

As far as I know Cisco don't natively support the solution on ISE and if they do it's not documented anywhere.  As I said above I don't believe the customer they developed it for was using it with ISE so Cisco probably never tested it with ISE, only with the customer's 3rd party platform.

As I explained earlier in the thread!  They're in an exclusive contract with the customer they developed it for and will not make any changes or development for the feature for anybody else for the duration of that contract.  And as with any such agreement, they will not discuss the details with other customers.  Your AM and SE's hands are tied - there's nothing they can do or say about it.

Now you could have a separate discussion about poor decision making/bad choices by the WNBU...  I have expressed my views on that to AM's and SE's a number of times already.   I think it's one of those embarrassing things they can't talk about because it will only make a bad situation worse.