I'm seeing the following when users try to connect to the portal.  I know where the url is on the ISE Guest Portal but where would it go in the WLC Config?

Hi Romer, From my previous reply, I was using LWA for Guest SSID Authentication which is not sessionized. That's why it worked even with my F5 LB in place for multiple PSN's. I moved to CWA and now I am facing the same issue as you. Only 1 PSN/Radius entry in the WLC for authentication is allowed otherwise you will get the 400 error because your 2nd authentication request for CWA is hitting another PSN where the session ID does not exist. I am checking the F5 ISE configuration document with Load Balancer F5 in place to see if I can make it work CWA. I will keep you informed.

Also I am doing the same thing going through the f5 to load balance the guest portal page.  It works but sometimes 400 bad request pops up. 

you are probably facing the following issue. I have not implemented source NAT for CWA/CoA so a temporary solution is to point the GUEST SSID to an specific PSN IP with a forwarding traffic F5 rule configured so the F5 1812/1813/8443 rules do not intervene in the Guest SSID authentication process at all. F5 acts like a default gateway only for Guest authentication traffic. Keep in mind that if you are using external DNS like google or similar for the Guest SSID DHCP IP subnet then you need to advertise your private ISE PSN nodes fqdn names/private IP's to external DNS.

https://community.cisco.com/t5/security-knowledge-base/how-to-cisco-amp-f5-deployment-guide-ise-load-balancing-using/ta-p/3631159

This is how it's currently setup it was working for while without any issues.  Then all of sudden it still works but users getting 400 errors.  On the wlc I only listed one PSN.  When users connect they are sent to the external f5 VIP in the dmz.  On the firewall I'm only currently allowing f5 VIP talk to one PSN which is the one listed on the WLC for the radius authentication.  Also on the firewall I'm only allowing the guest network to talk to the f5 VIP on port 8443 only do I need 1812 and 1813?  From the dmz f5 VIP talking to only one PSN is port 8443 also.  

what is the default gateway of your ISE PSN? it should be the F5 internal interface/IP on the same subnet like the ISE PSN so the traffic goes:   internet --- outside int FW ---- dmz / external F5 interface ----internal F5 interface --- ISE PSN and then returned back the same way. Have you had any recent upgrades on your version? i found that 2.7 version was stable and now some stuff working on that version is now broken on ISE 3.3. Forget 1812/1813 by now.

What is your URL in the WLC guest SSID interface for CWA? btw, are you using CWA? if it so, have you checked port 1700 for CoA? 

I have it configured like this from remote site to f5 like you said (internet --- outside int FW ---- dmz / external F5 interface ----internal F5 interface --- ISE PSN), but I do not have the PSN pointed to the f5 as the default gateway.  We are currently running 3.1 patch 6,9 on the ISE.  I am using CWA with the pre and post acl on the wlc.  

The following is what is generated in the Authorization Profile 

cisco-av-pair = url-redirect=https://company.x.com:port/portal/gateway?sessionId=SessionIdValue&portal=(edited out some inforation) &daysToExpiry=value&action=cwa